Metasploit-framework: [Bug] Eternalblue win8 exploit doesn't load

Created on 8 Jul 2020  路  9Comments  路  Source: rapid7/metasploit-framework

Steps to reproduce

  1. Search the exploit search eternalblue
  2. Try and include the exploit using use exploit/windows/smb/ms17_010_eternalblue_win8
  3. Try and do tab completion, the exploit doesn't show up there either

The exploit shows up in search but while including it doesn't work. Sounds dumb but I think the exploit is either broken or wasn't included in the version I'm using.

Expected behavior

The exploit should show up in tab completion and should be loaded.

Current behavior

The exploit doesn't load and shows the following error:

[-] Failed to load module: exploit/windows/smb/ms17_010_eternalblue_win8

image

Here's tail of ~/.msf4/logs/framework.log (probably the exploit is broken)

[07/08/2020 13:25:40] [e(0)] core: Unable to load module /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py, unknown module type
[07/08/2020 13:28:26] [e(0)] core: /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.rb failed to load - Errno::ENOENT No such file or directory @ rb_sysopen - /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.rb
[07/08/2020 13:28:26] [e(0)] core: Unexpected output running /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py:
Traceback (most recent call last):
  File "/usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py", line 178, in <module>
    ntfea9000 = (pack('<BBH', 0, 0, 0) + '\x00')*0x260  # with these fea, ntfea size is 0x1c80
TypeError: can't concat str to bytes

[07/08/2020 13:28:26] [e(0)] core: Unable to load module /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py, unknown module type

System stuff

Metasploit version

msf5 > version
Framework: 5.0.96-dev
Console  : 5.0.96-dev

I installed Metasploit with:

  • [x] Kali package via apt
  • [ ] Omnibus installer (nightly)
  • [ ] Commercial/Community installer (from http://www.rapid7.com/products/metasploit/download.jsp)
  • [ ] Source install (please specify ruby version)

OS

What OS are you running Metasploit on?

cat /etc/*release
PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"
ID=kali
VERSION="2020.2"
VERSION_ID="2020.2"
VERSION_CODENAME="kali-rolling"
ID_LIKE=debian
ANSI_COLOR="1;31"
HOME_URL="https://www.kali.org/"
SUPPORT_URL="https://forums.kali.org/"
BUG_REPORT_URL="https://bugs.kali.org/"
bug
Source
picture Anon-Exploiter

All 9 comments

Ruby's version (if it helps)

$ ruby --version
ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-linux-gnu]
Anon-Exploiter picture Anon-Exploiter on 8 Jul 2020

I can't reproduce this:

msf5 > search eternalblue

Matching Modules
================

   #  Name                                           Disclosure Date  Rank     Check  Description
   -  ----                                           ---------------  ----     -----  -----------
   0  auxiliary/admin/smb/ms17_010_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   1  auxiliary/scanner/smb/smb_ms17_010                              normal   No     MS17-010 SMB RCE Detection
   2  exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   3  exploit/windows/smb/ms17_010_eternalblue_win8  2017-03-14       average  No     MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
   4  exploit/windows/smb/ms17_010_psexec            2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   5  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution


Interact with a module by name or index, for example use 5 or use exploit/windows/smb/smb_doublepulsar_rce

msf5 > use exploit/windows/smb/ms17_010_eternalblue_win8
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue_win8) >

My guess is we have different versions of python. Perhaps you can try something like this: https://github.com/rapid7/metasploit-framework/compare/master...timwr:fix_13825

timwr picture timwr on 8 Jul 2020
👍1

Dupe of #13344 ~which is a dupe of #13478~

bcoles picture bcoles on 8 Jul 2020

Sorry for creating a dupe.

So the solution if anyone comes across this issue is to replace python3 with python2 in the shebang in the python exploit.

The following one-liner will do:

sed -i 's/python3/python2/g' /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py

POC:

image

Relooking at it again, changing python3 to python2 does fix it but while running the exploit impacket isn't loaded with python2 which is required for the exploit to run.

image

image

The initial error was:

image

I can't find a solution to this, for fixing it for python3, we've to replace each instance of '\x00' with b'\x00'. Is that the intended solution? Please correct me if I'm wrong.

Replacing those instances does fix it but it isn't a good fix, there might be other errors too if ran against a legit target.

image

Anon-Exploiter picture Anon-Exploiter on 8 Jul 2020

I can't find a solution to this, for fixing it for python3, we've to replace each instance of '\x00' with b'\x00'. Is that the intended solution? Please correct me if I'm wrong.

Replacing those instances does fix it but it isn't a good fix, there might be other errors too if ran against a legit target.

There is currently no official solution. Note that replacing '\x00' with b'\x00' is unlikely to be sufficient. Refer to #13478.

bcoles picture bcoles on 9 Jul 2020

Thanks @bcoles, I'll see if I can fix the exploit in my free time with proper implementation and against a target as written by @acammack-r7 in the issue.

Again, thanks for the support guys, closing this.

Anon-Exploiter picture Anon-Exploiter on 9 Jul 2020

Hello everyone!
I made a simple change that works.

In the first line, replace this:

!/usr/bin/env python3

for this:

!/usr/bin/env python

And the metasploit can load it now!

alexmello3 picture alexmello3 on 24 Oct 2020

Hello everyone!
I made a simple change that works.

In the first line, replace this:

!/usr/bin/env python3

for this:

!/usr/bin/env python

And the metasploit can load it now

what did you edit?

poealone picture poealone on 4 Nov 2020
😕1

Hello everyone!
I made a simple change that works.
In the first line, replace this:

!/usr/bin/env python3

for this:

!/usr/bin/env python

And the metasploit can load it now

what did you edit?

nano metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py

bichou picture bichou on 17 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Funeoz picture Funeoz  路  3Comments
felipee07 picture felipee07  路  3Comments
miholtz picture miholtz  路  3Comments
verapex picture verapex  路  3Comments
XSecr3t picture XSecr3t  路  3Comments