MS17-010 Vulnerability - New EternalRomance / EternalSynergy / EternalChampion SMB modules for Metasploit - Exploiting Windows10 and Windows2008R2

Until early last month, Metasploit had only two modules related to the MS17-010 SMB vulnerability.
The first module: auxiliary/scanner/smb/smb_ms17_010, is a scanner for detecting the MS17-010 vulnerability. We covered this module in a previous post.
The second module: exploit/windows/smb/ms17_010_eternalblue, is the MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption exploit. We also covered this exploit previously in a post here.
The EternalBlue exploit was designed to work with Windows 7 and Windows Server 2008 R2 target computers, which is quite restrictive from an OS point of view.
We also discussed previously the MS17-010 DoublePulsar exploit which can be used with more  OSes; but this module doesn't come by default with Metasploit and it has to be downloaded and installed separately.

Fortunately, last month Metasploit has released two long awaited new modules in relation to the MS17-010 vulnerability: auxiliary/admin/smb/ms17_010_command and exploit/windows/smb/ms17_010_psexec .

auxiliary/admin/smb/ms17_010_command is a MS17-010 EternalRomance / EternalSynergy / EternalChampion SMB Remote Windows Command Execution auxiliary module, which is used to run a command on the victim computer, under the Administrator / SYSTEM user context.

exploit/windows/smb/ms17_010_psexec is a MS17-010 EternalRomance / EternalSynergy / EternalChampion SMB Remote Windows Code Execution exploit module, which is used to deliver a payload to the victim computer and (usually) open a Meterpreter session under the SYSTEM user context.

One of the advantages for the new EternalRomance  / EternalSynergy / EternalChampion Metasploit modules compared to the older EternalBlue exploit module, is that the new modules are compatible with all Microsoft OS versions post-Windows 2000.
In addition, the EternalRomance / EternalSynergy / EternalChampion new modules are supposed to be more stable, more reliable and should crash the target a lot less often than the EternalBlue exploit.

In order to run successfully, the EternalBlue exploit does need access to the IPC$ share on the target computer.
On the other hand, the EternalRomance  / EternalSynergy / EternalChampion exploit does need access to a named pipe on the target computer.
By default on newer Microsoft OS versions, the anonymous access to all named pipes is disabled.

If you want to test these new modules in your own lab, then you will have to update the Kali Linux OS first. You can find the update commands in my previous post here. Updating Kali Linux will also update Metasploit and will install the new modules.

The test machine in my video is running Windows 10 Update 1607 (Build 14393.0). This particular version was released in mid 2016, before the MS17-010 vulnerability was made public.
I made sure that the Windows 10 OS is not updated (patched) during and after deployment, by disabling the Internet access to this test machine.
I also disabled the firewall just in case (This is not necessary as long as port 445 is accessible)

The details for my LAB are as in the picture below:



In my video, I spent time covering the following module requirements, before attempting exploitation:

a) SMBv1 (Server) should be enabled. Be aware that the latest builds of Windows 10 come with separate SMBv1 Client and SMBv1 Server feature components and the SMBv1 Server is disabled.
Without SMBv1 Server enabled, this exploit cannot work.
In the video I check that SMBv1 is enabled on my Windows 10 test machine (For the particular OS build that I'm using it is enabled by default)

b) The OS should be vulnerable to the MS17-010 vulnerability (ie the Microsoft MS17-010 patch should not be applied). Newer OS builds (released after March-April 2017), have the MS17-010 patch already part of the installation files.
In the video, I use the Metasploit MS17-010 scanner module to check for this requirement.

c) Named pipe(s) should be accessible on the target computer. As mentioned before, without named pipe access these modules won't exploit successfully.
In the video, I use another auxiliary Metasploit module called pipe_auditor in order to check for this particular requirement.

Many of the Metasploit commands used in this video were discussed and explained in my previous videos, so I will not repeat myself again in this post.
Also, the options for the new modules are very easy to understand, so I will only briefly mention them here:

auxiliary/scanner/smb/pipe_auditor

This module will determine what named pipes are accessible over SMB


RHOSTS - is the target IP address or the target range of IP addresses

SMBUser / SMBPass / SMBDomain - are optional user credentials . Anonymous access will be attempted if they are left blank.

auxiliary/admin/smb/ms17_010_command

This module will run a command on the target computer under the SYSTEM user context.


COMMAND - indicates the specific command to be executed on the target computer.
Note that the default command works if the remote host is part of an AD Domain.
My Windows 10 test machine is standalone, so I changed the default command to  "net user"

exploit/windows/smb/ms17_010_psexec

This module will deliver a payload to the victim computer / open a Meterpreter session.


Note that by default, this module will use the Meterpreter reverse_tcp payload.

MS17-010 Vulnerability
New  EternalRomance / EternalSynergy / EternalChampion SMB modules for Metasploit
Exploiting Windows 10 and Windows 2008 R2




Comments

Popular Posts

MS17-010 Vulnerability - Using EternalBlue exploit module in Metasploit

Generating shellcode - using msfvenom to generate a binary payload

MS17-010 Vulnerability - Scanning using Metasploit on KALI Linux