0xma Cyber Security Articles




April 2, 2021

Exploit EternalBlue with Custom Exploit (CVE-2017-0144) - 01

In this tutorial we will see how to gain access to a remote computer using the EternalBlue exploit. EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by CVE-2017-0144. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.

We can download the exploit from this Github page.

Exploit page in GitHub.

This gives a quick description of the exploit.

A quick introduction to the exploit in GitHub.

The Requirements section lists all the things we have to have on our system for the exploit to work.

Requirements section from the GitHub page.

Let's clone the exploit to our local machine.

Cloning the exploit directory.

This shows the contents of the exploit directory. Note the requirements.txt file which contains all the Python modules that we need for this exploit to work.

Contents of the exploit directory.

To install all the Python modules in the requirements.txt file we need to run pip2.7 install -r requirements.txt.

Installing the requirements.

In order to check if the target system is patched against this exploit or not, we have to run the "eternal_checker.py" file followed by the IP address of the target box. In this particular instance, we can see that the target is not patched.

Executing the eternal_checker.py script.

Let's move to the shellcode directory. This directory will contain the shellcodes that we would want to run on the target.

Contents of the exploit directory.

In order to generate our shellcode, we need to run the "shell_prep.sh" script. It prompts us to enter the local IP address, the ports on which we will be listening depending whether the payload is 32-bit or 64-bit, what kind of a shell we want to generate (meterpreter or regular) and also whether we want the payload to be staged or stageless.

Execution of the shell_prep.sh script. Execution of the shell_prep.sh script.

We can see that seven .bin files have been generated which can be used on the target depending on its architecture.

Contents of the exploit directory.

Let's move back a directory and see what others files are there that we need to run.

Contents of the exploit directory.

In order to connect to the target, we have to be listening for connections from the target computer. "listener_prep.sh" prompts us to enter the IP address of the interface on which we will be listening along with the specific ports to which our payload will connect (we have two different ports, one for the 32-bit payload and the other for the 64-bit payload), in addition to that we have to specify the type of shell that we will be expecting (meterpreter or regular) and also the type of payload that will be connecting back to us (staged or stageless).

Executing the listener_prep.sh file. Executing the listener_prep.sh file.

We have three different exploit files: eternalblue_exploit10.py, eternalblue_exploit8.py and eternalblue_exploit7.py. These exploits work for different versions of Windows: Windows 10, Windows 8 and Windows 7.

Contents of the exploit directory.

Since our target is a Windows 7 box, we will be running the eternalblue_exploit7.py script. Note that for the first argument, this script takes the IP address of the target box. And for the second argument, it takes the shellcode that we generated earlier. We are using the sc_all.bin shellcode for this instance.

Executing the exploit with the sc_all.bin shellcode.

Note that if we know the architecture of our target, we can use a specific shellcode as well. Since I know that the target is running a 64-bit Windows 7 machine, I can use the sc_x64.bin shellcode as well.

Executing the exploit with the sc_x64.bin shellcode.

Once the exploit is executed successfully, we can see that we receive a connection back from the target box.

Received a connection back from the target.

Now we can interact with the target and run whichever command we choose. Note that we have system level privileges to the box which means we can bring any changes that we want (from installing software to deleting important files, etc).

Metasploit regular shell to the target box.

If you liked reading this article, you can follow me on Twitter: 0xmaCyberSec.