3ndG4me / AutoBlue-MS17-010

This is just an semi-automated fully working, no-bs, non-metasploit version of the public exploit code for MS17-010
MIT License
1.19k stars 311 forks source link

Update shell_prep.sh #6

Closed oezgan closed 6 years ago

oezgan commented 6 years ago

Use a non-staged payload instead of the staged one.

3ndG4me commented 6 years ago

Hey @oezgan thanks for the pull request. I did intend to add in non-staged payloads at some point, but I think instead of replacing staged payloads, non-staged should be added as another option so the user can choose to use staged or non-staged. I’d also like to have the same option for the meterpreter payload as well.

If you’d like to make those changes to your pull request I’d be happy to accept it!

oezgan commented 6 years ago

Hey, I personally do not see the point of having a staged non-meterpreter payload since you need MSF to handle the staged payload anyway, but your repo your rules :)
I am not very good at bash scripting and the next couple of weeks do not look good for me. If i find the time i will certainly try. Also "we" can use the zzz_exploit.py from the original repo: here for windows xp and win2k like systems.
The idea would be that the shell_prepare.sh can also produce a shell.exe which would be run by the zzz_exploit.py . I am good with python i can do the modifications. Also also where can i get some VM images for these Systems :) ? I am currently in the OSCP Lab but that won't last forever.

3ndG4me commented 6 years ago

Well the benefit in the staged payload is smaller shellcode and generally some stability trade offs one way or the other. It gives us the ability to easily try different things. Really it’s fine as is if you’re intending to always use msfconsole’s multi handler, where as the benefit in the non-staged payload means you could use something like ncat to catch the shell instead if you wanted to.

So it’s just about different combinations and options being available to the end user. I know for a basic shell it’s not too big of a deal, but I’ve seen several times where for one reason or another staged worked when non-staged didn’t and vice versa. Just nice to have options :).

As far the zzz_exploit.py goes from the original repo. I was intending to eventually pull in exploits from that repo one at a time as I validate them and understand how they work fully. Unfortunately that’s gonna take me some time, so if you understand how one of them works and want to make some improvements to it and provide some instructional documentation I’d be happy to look it over and merge it in! That’ll be a great help for sure speeding up that process.

When it comes to test machines usually googling for Windows7 and Windows10 ISOs yields good results. XP is a bit harder to find now a days, but I think in all cases you could check out Vagrant and see if some people have pre-made boxes. I know there are a lot out there. I wish I could provide a more direct resource, all of my VMs are either ISOs I’ve downloaded over the years or old copies of Windows on a physical disk I’ve had around the house. I’d like to share them at some point. It’s not a complete collection by any means, but I just need to sit down and find time to upload them. Good luck, and thank you for your feedback!

3ndG4me commented 6 years ago

Resolved by pull request #8. Thank you for the initial contribution!