|
| 1 | +ms17_010_eternalblue is a remote exploit against Microsoft Windows, originally written by the |
| 2 | +Equation Group (NSA) and leaked by Shadow Brokers (an unknown hacking entity). It is |
| 3 | +considered a reliable exploit, and allows you to gain access not only as SYSTEM - the highest Windows |
| 4 | +user mode privilege, but also full control of the kernel in ring 0. In modern day penetration test, |
| 5 | +this exploit can be found in internal and external environments. |
| 6 | + |
| 7 | +As far as remote kernel exploits go, this one is highly reliable and safe to use. |
| 8 | + |
| 9 | +The check command of ms17_010_eternalblue is also highly accurate, because Microsoft's patch |
| 10 | +inadvertently added an information disclosure with extra checks on vulnerable code paths. |
| 11 | + |
| 12 | + |
| 13 | +## Vulnerable Application |
| 14 | + |
| 15 | +This exploit works against a vulnerable SMB service from one of these Windows systems: |
| 16 | + |
| 17 | +* Windows XP x86 (All Service Packs) |
| 18 | +* Windows 2003 x86 (All Service Packs) |
| 19 | +* Windows 7 x86 (All Service Packs) |
| 20 | +* Windows 7 x64 (All Service Packs) |
| 21 | +* Windows 2008 R2 x64 (All Service Packs) |
| 22 | + |
| 23 | +To reliability determine whether the machine is vulnerable, you will have to either examine |
| 24 | +the system's patch level, or use a vulnerability check. |
| 25 | + |
| 26 | +## Verification Steps |
| 27 | + |
| 28 | +- [x] Start `msfconsole` |
| 29 | +- [x] `use exploit/windows/smb/ms17_010_eternalblue` |
| 30 | +- [x] `set RHOST` to Windows 7/2008 x64 |
| 31 | +- [x] `set PAYLOAD` |
| 32 | +- [x] `exploit` |
| 33 | +- [x] **Verify** that you get a shell |
| 34 | +- [x] **Verify** that you do not crash (post an Issue with core dump if you do) |
| 35 | + |
| 36 | +## Options |
| 37 | + |
| 38 | +``` |
| 39 | +set ProcessName [string] |
| 40 | +``` |
| 41 | + |
| 42 | +This is the usermode process that an APC containing shellcode will be queued into. |
| 43 | +This should probably be a SYSTEM process, such as `lsass.exe` or `spoolsv.exe`. |
| 44 | + |
| 45 | +``` |
| 46 | +set MaxExploitAttempts [integer] |
| 47 | +``` |
| 48 | + |
| 49 | +Grooming the kernel does not always succeed, so this is the amount of times to retry |
| 50 | +the exploit. |
| 51 | + |
| 52 | +``` |
| 53 | +set GroomAllocations [integer] |
| 54 | +``` |
| 55 | + |
| 56 | +This is the base number of groom packets that will be sent per exploit. |
| 57 | + |
| 58 | +``` |
| 59 | +set GroomDelta [integer] |
| 60 | +``` |
| 61 | + |
| 62 | +This is the number the grooms will increase per exploit try, if previous try failed. |
| 63 | + |
| 64 | +**Unsafe configuration of Target** |
| 65 | +It is not possible to determine the Architecture (x86 or x64) of a machine from its |
| 66 | +SMB headers. The exploit has safeguards to silently fail if you use the wrong arch. |
| 67 | +If the shells aren't poppin', try to change the architecture. |
0 commit comments