EternalBlue

MS17-010

Summary: EternalBlue exploits a vulnerability in Microsoft’s implementation of SMB. The vulnerability exists because the SMBv1 server (on various versions of Windows) mishandles specially crafted packets being sent by a remote attacker which allows them to execute arbitrary code on the victim computer.

Origins: The Equation Group is the Tailored Access Operations (TAO) department at the NSA that wrote exploits, including this one. The Shadowbrokers dumped these exploits to the public in 2017.

How it works: In essence, EternalBlue exploits a memory overflow via a malformed NT Trans2 packet header. Once the packets are reformed in memory, this allows for a jump to the malicious shellcode and therefore allowing the payload (DoublePulsar) to be executed.

DoublePulsar: When the memory overflow takes place and the shellcode is executed, that memory space is freed up and DoublePulsar itself becomes resident within SMB’s memory space without any extra process or bound port. This means that all of the processing done for DoublePulsar is done within SMB itself. It is not a persistent backdoor, meaning you will lose compromise when machine is rebooted. That being said, it is very powerful for lateral movement.

With Shodan, it’s been said that if you’re running an unpatched system on an external network, you’re probably already popped. Within 3 days of the Shadowbrokers dump, the entirety of the IPv4 address space had a 3% compromise rate. Yikes.

Three Big instances of EternalBlue:

  1. WannaCry Ransomware
  2. Adylkuzz Viral Cypto Miner – a monero miner (predates WannaCry)
  3. Zealot Campaign – also a monero miner.

The Metasploit method

In this example, I am running the EternalBlue exploit on HackTheBox‘s (HTB) machine named “Blue” — a VM that is specifically vulnerable to this attack.

nmap -A -p- 10.10.10.40

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-24 12:05 CDT
Nmap scan report for 10.10.10.40
Host is up (0.044s latency).
Not shown: 65527 closed ports
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=8/24%OT=135%CT=1%CU=32274%PV=Y%DS=2%DC=T%G=Y%TM=5F43F3
OS:F3%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=109%TI=I%CI=I%II=I%SS=S%TS
OS:=7)OPS(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M
OS:54DNW8ST11%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=20
OS:00)ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y
OS:%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD
OS:=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0
OS:%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1
OS:(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI
OS:=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -17m16s, deviation: 34m37s, median: 2m41s
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-08-24T18:10:38+01:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-08-24T17:10:37
|_  start_date: 2020-08-24T04:01:54

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   47.13 ms 10.10.14.1
2   47.28 ms 10.10.10.40

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 160.43 seconds

Even though we can see that our target machine is a likely candidate for this exploit (see: Windows 7 Professional 7601 Service Pack 1), we can also use metasploit to gather some information and verify that our target system is indeed vulnerable to MS17-010 (scanning the target’s system:

Other than that, it’s simply a matter of setting your RHOST/LHOST and running the exploit:

Shell popped.

Here we can see that we came riding in on spoolsv.exe:

The Autoblue method

Step 0: Google “Autoblue github” to find 3ndG4me’s github.

Cloning from Github

Step 1: run shell_prep.sh to prepare shellcode.

./shell_prep.sh
./shell_prep.sh continued

Step 2: We will need to go back to the main repo directory (cd ..) and run listener_prep.sh (which will launch metasploit)

./listener_sh
./listener_sh continued — metasploit opened & listening

Step 3: Run the exploit (in a separate terminal tab).

We can tab back to our metasploit to look for whether or not a session has been established.

My initial attempts were unsuccessful, but after playing around with the 4th parameter (Number of Groom Connections) I was able to open a meterpreter session.

So, in order to get success with this exploit, it may be necessary to try running it more than once with variable Groom Connections. Groom Connections are connections that are being opened up to try and chain together kernel pool memory so that we can write to the buffer from a desired location.

Meterpreter session opened.

We can list our open sessions to connect and use our new shell.

From here I poked around the system and found the HTB flags on each of the target user’s Desktops.

Both user and root shown for HTB flag capture.

To collect the flags for HackTheBox’s Blue machine, I navigated to each of the user’s Desktops where they sat in .txt files (as seen with Administrator below).

Root’s HTB flag found on Administrator’s Desktop.