Eternalromance: eternal pwnage of Windows Server 2003 and XP

- 1 min
Exploitation MS17-010

Most of the write-ups on the leaked Equation Group tools by the shadow brokers are about the Eternalblue exploit, an RCE SMB exploit that provides SYSTEM to the attacker of Windows 7 and Windows Server 2008 machines not patched with MS17–010. Cool stuff, however, maybe even cooler is the stuff that will provide reverse shells for life: Eternalromance on fully patched Windows XP and Server 2003 machines. In this short write-up, I’ll explain how to get EternalRomance working by popping a meterpreter session on a fully patched Windows Server 2003 R2 SP2 box.

win2003

Fully patched Windows Server 2003.

Eternalromance requires shellcode for the exploitation phase. Any shellcode other than shellcode generated by the Doublepulsar implant, results in a BSOD on the box (trust me, I’ve tried this many times…).

Start FuzzBunch and type use Doublepulsar. Walk through the default options and choose function OutputInstall. This generates the shellcode to feed to Eternalromance.

2

Doublepulsar generates dopu_shellcode.bin

Walk through the default options of Eternalromance, let the Smbtouch execute and afterwards provide the dopu_shellcode.bin shellcode file generated with Doublepulsar.

3

Smbtouch via Eternalromance.

4

Select proper DoPu shellcode file.

5

Eternalromance succeeded.

After Eternalromance succeeded, let’s now prepare a payload of use to us, in this case a meterpreter shell.

6

Use msfvenom to generate a meterpreter stager DLL.

Now we’ll let Doublepulsar inject this dll, and initiate a meterpreter session.

7

Doublepulsar injects meterpreter.dll

8

Meterpreter session on the Windows Server 2003 SP2.

shell

Seriously though, if your organisation relies on these legacy operating systems:

Stay safe!

rss facebook twitter github youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora mastodon