EternalBlue on Windows XP

There's a few articles and exploits out there where EternalBlue has been found to work on Windows XP. However, the metasploit framework does not seem to have a reliable exploit for it.

I did find a working exploit here, specifically works perfect. However, it basically just writes an empty file (around line 975). You can use this to run arbitrary commands though. So create an exploit with msfvenom, spin up a webserver, have it downloaded, hope AV doesn't catch it... or, lets just take the easy road.

service_exec(conn, r'cmd /c net user <username> <password> /add')
service_exec(conn, r'cmd /c net localgroup Administrators <username> /add')
service_exec(conn, r'reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v forceguest /t reg_dword /d 0 /f')

These three lines create a user, add the user to the Administrators group, and then (perhaps most importantly) sets the registry value for secpol.msc -> Local Policies -> Security Options -> "Network access: Sharing and security model for local accounts". It sets this value to 0 which corresponds to "Classic - local users authenticate as themselves".

Once the user is added and the value set, use exploit/windows/smb/psexec and authenticate!



Infosec analyst, lover of passwords, and owner of a giant goofy puppy.

Read More
EternalBlue on Windows XP
Share this