MS17-010 Vulnerability - EternalBlue exploit using a binary payload and python script on Windows 8.1 and Windows 2012 R2 targets

In this video we exploit the MS17-010 Vulnerability (EternalBlue) on Windows 8.1 and Windows 2012 R2 targets. We use the shellcode (binary payloads) that we previously generated, in addition to a python script and Metasploit Framework.

Please check my previous post on generating the shellcode:
Generating shellcode - using msfvenom to generate a binary payload

We also need Worawit's eternalblue8_exploit.py python script, which can be downloaded from the following Github URL:
https://gist.github.com/worawit/074a27e90a3686506fc586249934a30e

Many of the commands used in this video are very similar with the ones used in my previous Windows 7 / Windows 2008 R2 exploitation video. So please check the post below for more explanations:
MS17-010 Vulnerability - EternalBlue exploit using a binary payload and python script on Windows 7 and Windows 2008 R2 targets

Still, when using the EternalBlue exploit, there is an important difference between Windows 7 / Windows 2008 R2 on one side and Windows 8.1 / Windows 2012 R2 on the other side.
Windows 7 and Windows 2008 R2 accept by default NULL sessions, while Windows 8.1 and Windows 2012 R2 don't accept NULL sessions by default.
In the video, we test the NULL session establishment for each OS, by using the following command:
net use \\<VM_IP_Address>\IPC$ "" /u:""

Because of this difference, in the case of Windows 8.1 / Windows 2012 R2 targets, the exploitation python script needs a non-admin user id to initially connect to the target and deliver the payload. 
During penetration testing scenarios, the non-admin user id has to be obtained via social engineering or other means. For our testing purposes, a local non-admin user id is manually created on the Windows 8.1 and Windows 2012 R2 test VMs with the following credentials:
User_id: testuser1
Password: P@ssw0rd
The eternalblue8_exploit.py python script is then edited in order to use the credentials above.

The command used for running the EternalBlue exploit script is:
python eternalblue8_exploit.py <Target_IP> <shellcode_file> [numGroomConn]
where:
<Target_IP> - can be the IP address for the test Windows 8.1 machine (192.168.254.163) or for the test Windows 2012 R2 machine (192.168.254.165)
<shellcode_file> - can be sc_x64.bin (the binary payload without NOP sled) or sc_x64_100n.bin (the binary payload with NOP sled)
[numGroomConn] - is an optional parameter which by default has the value 13. It is used in the EternalBlue exploit script for the buffer overflow attack. If the exploit fails, but the target does not crash, then try increasing the "numGroomConn" value.



Comments

Popular Posts

MS17-010 Vulnerability - Using EternalBlue exploit module in Metasploit

Generating shellcode - using msfvenom to generate a binary payload

MS17-010 Vulnerability - Scanning using Metasploit on KALI Linux