Converts the external ms17_010_eternalblue_win8 to run only with Python3

[agalway-r7]

Closes #13478

This PR changes the ms17_010_eternalblue_win8.py external module to run only with python3, and makes the necessary changes to the strings in the exploit to ensure shellcode is generated successfully. One of the main differences between Python2 & Python3 is that in python2, strings are stored as bytes, where as in python3, they are stored as unicode strings:

This means that any shellcode that needs to be stored as bytes before being sent to the victim machine has to be explicitly set as a byte string with b'<shellcode>'.

Verification

• Start msfconsole
• use windows/smb/ms17_010_eternalblue_win8
• run
• Verify the module can successfully create a meterpreter session
• Verify the module can successfully execute another payload (IE payload/cmd/windows/generic)

Big thanks to @kal1s for his detailed post on the issue.

[agalway-r7]

You could get rid of the + symbols in this code and clean it up, like so:

Suggested change

	b'\x55\xe8\x2e\x00\x00\x00\xb9\x82\x00\x00\xc0\x0f\x32\x4c\x8d'+
	b'\x55\xe8\x2e\x00\x00\x00\xb9\x82\x00\x00\xc0\x0f\x32\x4c\x8d'

But it doesn't seem to work as well ¯\_(ツ)_/¯

[adfoster-r7]

Closes #13458

Just to confirm, does this PR fix that issue? 👀

[agalway-r7]

Closes #13458

Just to confirm, does this PR fix that issue? 👀

Nope. Fixed the Closes reference in the description

[adfoster-r7]

This looks good to me, we'll have to confirm what the experience is for a python 2.x user, and if we want to use #!/usr/bin/env python3 or not

[agalway-r7]

This looks good to me, we'll have to confirm what the experience is for a python 2.x user, and if we want to use #!/usr/bin/env python3 or not

IIRC the script won't work for python2.x

[cgranleese-r7]

Seem to be getting an issue when successfully getting a meterpreter session, then exit the session and try to run again straight away. It returns this stack trace:

This isn't super consistent, has happened maybe three times during testing.

[adfoster-r7]

@cgranleese-r7 What's the result of running ulimit -a on your machine? 👀

[cgranleese-r7]

@adfoster-r7

[adfoster-r7]

I wonder if the you're running out of file descriptors as the external modules are spun up in their own process, which in this case will include loading the python runtime and all of the associated dependencies 🤔

There's probably easier ways than this, but this might help get you started on confirming what's happening:

msf6 exploit(solaris/ssh/pam_username_bof) > irb
[*] Starting IRB shell...
[*] You are in exploit/solaris/ssh/pam_username_bof

>> $PID
=> 41666
>> `lsof -p 41666`; nil
"COMMAND   PID     USER   FD    TYPE             DEVICE  SIZE/OFF                NODE NAME\n" +
"ruby    41666 adfoster  cwd     DIR                1,4      2176              958267 /Users/adfoster/Documents/code/metasploit-framework\n" +
"ruby    41666 adfoster  txt     REG                1,4     13184            30801815 /Users/adfoster/.rvm/rubies/ruby-2.7.2/bin/ruby\n" +
... etc ...
=> nil
>> `lsof -p 41666`.lines.length - 1
=> 75
>> 

[cgranleese-r7]

This error was found during testing, I believe this only occurred once. @agalway-r7 and I found this when when running through some testing on a call but adding it here for visibility.

[agalway-r7]

This error was found during testing, I believe this only occurred once. @agalway-r7 and I found this when when running through some testing on a call but adding it here for visibility.

Fixed with latest commit, there was a stray byte + string concatenation I missed

[cgranleese-r7]

Gave this another test. Didn't encounter any of the previous errors.

Got a shell 2/10 tries in quick succession, Got one on the first run and the third run. Just got [*] Exploit completed, but no session was created after that.

I'm happy to merge once Travis catches up 👍

[cgranleese-r7]

Release Notes

This PR changes the ms17_010_eternalblue_win8.py external module to run only with python3, and makes the necessary changes to the strings in the exploit to ensure shellcode is generated successfully. One of the main differences between Python2 & Python3 is that in python2, strings are stored as bytes, where as in python3, they are stored as unicode strings.