0xma Cyber Security Articles

April 9, 2021

Exploit EternalBlue with Custom Exploit (CVE-2017-0144) - 02

In this tutorial we will see how to gain access to a remote computer using the EternalBlue exploit. EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by CVE-2017-0144. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.

Let's download the exploit from the Exploit Database (exploit-db.com).

Exploit page in the Exploit Database (www.exploit-db.com).

Once the exploit is downloaded, let's move it to the current working directory and rename it to eternalblue_exploit.py.

Renaming the script into something readable.

We need mysmb.py for this exploit to work.

mysmb.py script in GitHub.

This shows the raw mysmb.py script.

mysmb.py script in raw format.

Let's download it using wget.

Downloading the mysmb.py script from GitHub.

For this exploit to work, we need to generate a reverse shell in the format of an executable. msfvenom is a good choice to perform this task.

Generating a .exe payload with msfvenom.

This is the original smb_pwn() function in the eternalblue_exploit.py file.

Default contents of the smb_pwn() function.

However, we need to modify it by including the path to the generated reverse shell file and then add another line to execute the reverse shell.

Modifying the smb_pwn() function.

The script has the USERNAME set to empty.

Default values of the USERNAME and PASSWORD variables in the script.

In order for the exploit to work, we have to set the USERNAME to guest.

Setting the USERNAME variable.

Let's create a Metasploit listener to receive the connection back from the target.

Creating a multi/handler listener in Metasploit.

Once the listener is created, we execute the exploit by specifying the IP address of the target.

Executing the exploit script. Executing the exploit script.

If the exploit gets executed successfully, we can receive our reverse shell from the target.

meterpreter shell on the target box.

Running sysinfo which is a built-in meterpreter command shows system information.

sysinfo command in meterpreter.

getuid which again is a built-in meterpreter command shows us that we have system level privileges on the box.

getuid command in meterpreter.

You can follow me on Twitter mujtabareads.