Rapid7 Vulnerability & Exploit Database

MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+

Back to Search

MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+

Disclosed
03/14/2017
Created
07/25/2018

Description

EternalBlue exploit for Windows 8, Windows 10, and 2012 by sleepya The exploit might FAIL and CRASH a target system (depended on what is overwritten) The exploit support only x64 target Tested on: - Windows 2012 R2 x64 - Windows 8.1 x64 - Windows 10 Pro Build 10240 x64 - Windows 10 Enterprise Evaluation Build 10586 x64 Default Windows 8 and later installation without additional service info: - anonymous is not allowed to access any share (including IPC$) - More info: https://support.microsoft.com/en-us/help/3034016/ipc-share-and-null-session-behavior-in-windows - tcp port 445 is filtered by firewall Reference: - http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/ - "Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre" https://drive.google.com/file/d/0B3P18M-shbwrNWZTa181ZWRCclk/edit Exploit info: - If you do not know how exploit for Windows 7/2008 work. Please read my exploit for Windows 7/2008 at https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a because the trick for exploit is almost the same - The exploit use heap of HAL for placing fake struct (address 0xffffffffffd00e00) and shellcode (address 0xffffffffffd01000). On Windows 8 and Wndows 2012, the NX bit is set on this memory page. Need to disable it before controlling RIP. - The exploit is likely to crash a target when it failed - The overflow is happened on nonpaged pool so we need to massage target nonpaged pool. - If exploit failed but target does not crash, try increasing 'GroomAllocations' value (at least 5) - See the code and comment for exploit detail. Disable NX method: - The idea is from "Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre" (see link in reference) - The exploit is also the same but we need to trigger bug twice - First trigger, set MDL.MappedSystemVa to target pte address - Write '\x00' to disable the NX flag - Second trigger, do the same as Windows 7 exploit - From my test, if exploit disable NX successfully, I always get code execution

Author(s)

  • Equation Group
  • Shadow Brokers
  • sleepya
  • wvu <wvu@metasploit.com>

Platform

Windows

Architectures

x64

Development

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/smb/ms17_010_eternalblue_win8
msf exploit(ms17_010_eternalblue_win8) > show targets
    ...targets...
msf exploit(ms17_010_eternalblue_win8) > set TARGET < target-id >
msf exploit(ms17_010_eternalblue_win8) > show options
    ...show and set options...
msf exploit(ms17_010_eternalblue_win8) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;