ms17-010备忘录
1 minute read
0x00 About
检测方法:
1.msf search ms17010
2.https://github.com/RiskSense-Ops/MS17-010
实战溢出getshell方法:
1.https://github.com/fuzzbunch/fuzzbunch
a)命令行模式:python fb.py(先用eternalblue再用double[tab])
b)gui模式:python configure_lp.py
2.msf第三方组合工具
https://www.youtube.com/watch?v=4OHLor9VaRI
x64kali:
dpkg --add-architecture i386 && apt-get update && apt-get install wine32
rm -r ~/.wine
wine cmd.exe
exit
https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit
3.python版https://www.t00ls.net/thread-39687-1-1.html
0x01 Attention
1.win7 x86效果不好,不稳定,原因不明,考虑换成fuzzbunch的gui方法
2.目标是win7 x86时用reverse_tcp时必须用lport=4444,本机的端口为4444(test in elevenpaths/eternalblue-doublepulsar-metasploit)
3.目标是win7 x86时用bind_tcp时必须用lport=4444,目标的端口为4444(test in elevenpaths/eternalblue-doublepulsar-metasploit)
2.fuzzbunch的命令行模式默认设置的注入的进程是lsass.exe,x86平台下会导致目标机器重启,换成explorer.exe(或wlms.exe)
3.目标系统为x64位系统最好设置注入进程为lsass.exe
4.有些有公网ip的云主机(vps)就算设置了打开一些端口也会被服务商过滤掉,这种情况要在vps上开不容易被过滤的端口,比如443,53,80等
0x02 Special
特殊利用方式,用这个漏洞来提权,smb叠加利用提权
https://www.t00ls.net/thread-39703-1-1.html