MS17-010(永恒之蓝) Python Exploit

文件如下：

• BUG.txt MS17-010 bug detail and some analysis

• checker.py Script for finding accessible named pipe

• eternalblue_exploit7.py Eternalblue exploit for windows 7/2008

• eternalblue_exploit8.py Eternalblue exploit for windows 8/2012 x64

• eternalblue_poc.py Eternalblue PoC for buffer overflow bug

• eternalblue_kshellcode_x64.asm x64 kernel shellcode for my Eternalblue exploit. This shellcode should work on Windows Vista and later

• eternalblue_kshellcode_x86.asm x86 kernel shellcode for my Eternalblue exploit. This shellcode should work on Windows Vista and later

• eternalblue_sc_merge.py Script for merging eternalblue x86 and x64 shellcode. Eternalblue exploit, that support both x86 and x64, with merged shellcode has no need to detect a target architecture

• eternalchampion_leak.py Eternalchampion PoC for leaking info part

• eternalchampion_poc.py Eternalchampion PoC for controlling RIP

• eternalchampion_poc2.py Eternalchampion PoC for getting code execution

• eternalromance_leak.py Eternalromance PoC for leaking info part

• eternalromance_poc.py Eternalromance PoC for OOB write

• eternalromance_poc2.py Eternalromance PoC for controlling a transaction which leading to arbitrary read/write

• eternalsynergy_leak.py Eternalsynergy PoC for leaking info part

• eternalsynergy_poc.py Eternalsynergy PoC for demonstrating heap spraying with large paged pool

• infoleak_uninit.py PoC for leaking info from uninitialized transaction data buffer

• mysmb.py Extended Impacket SMB class for easier to exploit MS17-010 bugs

• npp_control.py PoC for controlling nonpaged pool allocation with session setup command

• zzz_exploit.py Exploit for Windows 2000 and later (requires access to named pipe)

正常zzz_exploit.py就包含了所有的系统，不过默认执行的payload只是在c盘写了一个文件

需要修改 972行

在smbconn下加上

service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')

把后面执行的cmd改成自己需要执行的命令即可，因为他是创建一个服务去执行命令，可能会出现错误

地址：https://github.com/worawit/MS17-010/