Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/documentation/modules/exploit/windows/smb/ms17_010_eternalblue.md
Views: 11789
ms17_010_eternalblue is a remote exploit against Microsoft Windows, originally written by the Equation Group (NSA) and leaked by Shadow Brokers (an unknown hacking entity). It is considered a reliable exploit and allows you to gain access not only as SYSTEM - the highest Windows user mode privilege, but also full control of the kernel in ring 0. In modern day penetration tests, this exploit can be used in internal and external environments.
As far as remote kernel exploits go, this one is highly reliable and safe to use.
The check command of ms17_010_eternalblue is also highly accurate, because Microsoft's patch inadvertently added an information disclosure with extra checks on vulnerable code paths.
Vulnerable Application
This exploit works against a vulnerable SMB service from one of these Windows systems:
Windows XP x86 (All Service Packs)
Windows 2003 x86 (All Service Packs)
Windows 7 x86 (All Service Packs)
Windows 7 x64 (All Service Packs)
Windows 2008 R2 x64 (All Service Packs)
Windows 8.1 x64
Windows Server 2012 R2 x64
Windows 10 Pro x64 (< Version 1507)
Windows 10 Enterprise Evaluation x64 (< Version 1507)
To reliability determine whether the machine is vulnerable, you will have to either examine the system's patch level, or use a vulnerability check.
Verification Steps
Start
msfconsoleuse exploit/windows/smb/ms17_010_eternalblueset RHOSTto Windows 7/2008 x64set PAYLOADexploitVerify that you get a shell
Verify that you do not crash (post an Issue with core dump if you do)
Options
This is the usermode process that an APC containing shellcode will be queued into. This should probably be a SYSTEM process, such as lsass.exe or spoolsv.exe.
This is the base number of pool grooming packets that will be sent per exploit.
Grooming the kernel pool does not always succeed, so this is the amount of times to retry the exploit. Only used when exploiting machines with Windows XP x86, Windows 2003 x86, Windows 7 x86, Windows 7 x64, or Windows 2008 R2 x64.
This is the number of extra kernel pool grooming attempts that will be performed per exploit try, if previous try failed. Only used when exploiting machines with Windows XP x86, Windows 2003 x86, Windows 7 x86, Windows 7 x64, or Windows 2008 R2 x64.
Unsafe configuration of Target It is not possible to determine the Architecture (x86 or x64) of a machine from its SMB headers. The exploit has safeguards to silently fail if you use the wrong arch. If the shells aren't poppin', try to change the architecture.