9.3
CVSSv2

CVE-2017-0144

Published: 17/03/2017 Updated: 21/06/2018
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.1 | Impact Score: 5.9 | Exploitability Score: 2.2
VMScore: 1000
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote malicious users to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.

Vulnerability Trend

Affected Products

Vendor Product Versions
MicrosoftServer Message Block1.0

Vendor Advisories

Microsoft Security Bulletin MS17-010 - Critical 10/11/2017 12 minutes to read Contributors In this article Security Update for Microsoft Windows SMB Server (4013389)Executive SummaryAffected Software and Vulnerability Severit ...

ICS Advisories

Exploits

#!/usr/bin/python from impacket import smb from struct import pack import sys import socket ''' EternalBlue exploit for Windows 7/2008 by sleepya The exploit might FAIL and CRASH a target system (depended on what is overwritten) EDB Note: Shellcode - x64 ~ githubcom/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/4 ...
#!/usr/bin/python from impacket import smb, ntlm from struct import pack import sys import socket ''' EternalBlue exploit for Windows 8 and 2012 by sleepya The exploit might FAIL and CRASH a target system (depended on what is overwritten) The exploit support only x64 target EDB Note: Shellcode - x64 ~ githubcom/offensive-security/exploit ...
#!/usr/bin/python from impacket import smb, smbconnection from mysmb import MYSMB from struct import pack, unpack, unpack_from import sys import socket import time ''' MS17-010 exploit for Windows 2000 and later by sleepya EDB Note: mysmbpy can be found here ~ githubcom/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/423 ...
## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## # auxiliary/scanner/smb/smb_ms_17_010 require 'msf/core' class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::SMB::Client include Msf::Exploit::Remote::SMB::Client::Authenticated inc ...
# Exploit Author: Juan Sacco <juansacco@kpncom> at KPN Red Team - wwwkpncom # Date and time of release: May, 9 2017 - 13:00PM # Found this and more exploits on my open source security project: wwwexploitpackcom # # MS17-010 - technetmicrosoftcom/en-us/library/security/ms17-010aspx # Tested on: Microsoft Wind ...

Metasploit Modules

MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption

This module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original may not trigger 100% of the time, and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again. The module will attempt to use Anonymous login, by default, to authenticate to perform the exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use those instead. On some systems, this module may cause system instability and crashes, such as a BSOD or a reboot. This may be more likely with some payloads.

msf > use exploit/windows/smb/ms17_010_eternalblue
      msf exploit(ms17_010_eternalblue) > show targets
            ...targets...
      msf exploit(ms17_010_eternalblue) > set TARGET <target-id>
      msf exploit(ms17_010_eternalblue) > show options
            ...show and set options...
      msf exploit(ms17_010_eternalblue) > exploit
MS17-010 SMB RCE Detection

Uses information disclosure to determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is "STATUS_INSUFF_SERVER_RESOURCES", the machine does not have the MS17-010 patch. If the machine is missing the MS17-010 patch, the module will check for an existing DoublePulsar (ring 0 shellcode/malware) infection. This module does not require valid SMB credentials in default server configurations. It can log on as the user "\" and connect to IPC$.

msf > use auxiliary/scanner/smb/smb_ms17_010
      msf auxiliary(smb_ms17_010) > show actions
            ...actions...
      msf auxiliary(smb_ms17_010) > set ACTION <action-name>
      msf auxiliary(smb_ms17_010) > show options
            ...show and set options...
      msf auxiliary(smb_ms17_010) > run

Github Repositories

eternalblue vulnerable service scanner Requirement shodan python 2xx Queries port:445 "SMB Version: 1" os:Windows !product:Samba Reference from CVE-2017-0144 cvemitreorg/cgi-bin/cvenamecgi?name=cve-2017-0144

eternalblue vulnerable service scanner Requirement shodan python 2xx Queries port:445 "SMB Version: 1" os:Windows !product:Samba Reference from CVE-2017-0144 cvemitreorg/cgi-bin/cvenamecgi?name=cve-2017-0144

Project moving to gitlabcom/peterpt/Eternal_Scanner ETERNAL SCANNER 23 Eternal scanner is an network scanner for Eternal Blue exploit CVE-2017-0144 &amp; Eternal Romance (named pipe) CVE-2017-0145 Screenshots 22 Version (New Implementations) Eternal Romance Vulnerability check (escan -er) Escan Database Splited Results (escan -l) Video Eternal Scanner 2

Project moving to gitlabcom/peterpt/Eternal_Scanner ETERNAL SCANNER 23 Eternal scanner is an network scanner for Eternal Blue exploit CVE-2017-0144 &amp; Eternal Romance (named pipe) CVE-2017-0145 Screenshots 22 Version (New Implementations) Eternal Romance Vulnerability check (escan -er) Escan Database Splited Results (escan -l) Video Eternal Scanner 2

ETERNAL SCANNER 23 Eternal scanner is an network scanner for Eternal Blue exploit CVE-2017-0144 &amp; Eternal Romance (named pipe) CVE-2017-0145 Screenshots 22 Version (New Implementations) Eternal Romance Vulnerability check (escan -er) Escan Database Splited Results (escan -l) Video Eternal Scanner 20 : wwwyoutubecom/watch?v=8heVXfcywq0 Eternal Scann

ETERNAL SCANNER 23 Eternal scanner is an network scanner for Eternal Blue exploit CVE-2017-0144 &amp; Eternal Romance (named pipe) CVE-2017-0145 Screenshots 22 Version (New Implementations) Eternal Romance Vulnerability check (escan -er) Escan Database Splited Results (escan -l) Video Eternal Scanner 20 : wwwyoutubecom/watch?v=8heVXfcywq0 Eternal Scann

SecScripts A Bunch of Scripts Which Look at Fixing Security Vulnerabilities otherwise delaying an attack Available Scripts Name (Directory) CVE/Vulnerabilty Also Known As Description Affects MSB-MS17-010 CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, CVE-2017-0148 EternalBlue (NSA), WannaCrypt/WannaCry/WCry/WannaCrypt0r (Used as an Exploit fo

-EBEKv20 ########### EBEKv20 Updates and Changes: Multi-Threading fixed and optimized Scan from IP text list (Optimized for masscan use) Added payload option for PS1 New scan mode added to continually scan and repeat list Scan is much faster ########### EternalBlue_EK EternalBlue EternalSynergy EternalRomance EternalChampion :: CVE List :: CVE-2017-0143 CVE-2017-0144

#EBEK-Manual_Mode Exploit EternalBlue EternalSynergy EternalRomance EternalChampion :: CVE List :: CVE-2017-0143 CVE-2017-0144 CVE-2017-0145 CVE-2017-0146 CVE-2017-0147 CVE-2017-0148 :: Tested On :: Windows XP SP3 x86 Windows XP SP2 x64 Windows 7 SP1 x86 Windows 7 SP1 x64 Windows 81 x86 Windows 81 x64 Windows 10 Pro Build 10240 x64 Windows Server 2000 SP4 x86 Windows

#EBEK--EternalBlue-EK EternalBlue EternalSynergy EternalRomance EternalChampion :: CVE List :: CVE-2017-0143 CVE-2017-0144 CVE-2017-0145 CVE-2017-0146 CVE-2017-0147 CVE-2017-0148 :: Tested On :: Windows XP SP3 x86 Windows XP SP2 x64 Windows 7 SP1 x86 Windows 7 SP1 x64 Windows 81 x86 Windows 81 x64 Windows 10 Pro Build 10240 x64 Windows Server 2000 SP4 x86 Wi

MS17-010 SMB Remote Code Execution (MS17-010) Exploit CVE CVE-2017-0143 CVE-2017-0144 CVE-2017-0145 CVE-2017-0146 CVE-2017-0147 CVE-2017-0148

Утилита для проверки наличия установленного обновления MS17-010 Утилита позволяет быстро провести анализ сети на наличие хостов, на которых отсутствует обновление MS17-010 Это обновление закрывает уязвимости CVE-2

#EBEK--EternalBlue-EK EternalBlue EternalSynergy EternalRomance EternalChampion :: CVE List :: CVE-2017-0143 CVE-2017-0144 CVE-2017-0145 CVE-2017-0146 CVE-2017-0147 CVE-2017-0148 :: Tested On :: Windows XP SP3 x86 Windows XP SP2 x64 Windows 7 SP1 x86 Windows 7 SP1 x64 Windows 81 x86 Windows 81 x64 Windows 10 Pro Build 10240 x64 Windows Server 2000 SP4 x86 Wi

Exploit-Modules These exploits and utilities are apart of the Project-WARMIND To implement: CVE-2018-7600 CVE-2018-7602 CVE-2017-0144 CVE-2018-1002150 CVE-2018-1000300 CVE-2018-1000178 CVE-2018-1000167 CVE-2018-1000140 CVE-2018-1000118 CVE-2018-1000059 CVE-2018-1000043 CVE-2018-1000042 CVE-2018-8739 CVE-2018-8736 CVE-2018-7665

SMB-CVE CVE listings for Windows SMB vulnerabilities SMB Server Vulnerabilities These could be in any of the SMB drivers and their supporting services Bulletin Type CVE Description MS02-070RCECAN-2002-1256Flaw in SMB Signing Could Enable Group Policy to be Modified MS03-024RCECAN-2003-0345Buffer overflow in the SMB capability

Awesome Stars A curated list of my GitHub stars! Generated by starred Contents ASP Arduino Assembly AutoHotkey AutoIt Batchfile BitBake Bro C C# C++ CSS CoffeeScript Dockerfile Emacs Lisp Erlang Game Maker Language Go HTML Haskell Java JavaScript Jupyter Notebook KiCad Kotlin Logos Lua M Makefile Markdown Mask

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :

Recent Articles

PyRoMine Uses NSA Exploit for Monero Mining and Backdoors
Threatpost • Tara Seals • 26 Apr 2018

The ShadowBrokers’ release of a trove of National Security Agency exploits last year appears to be the gift that keeps on giving, to the hacker community at least: A fresh malware that uses the EternalRomance tool has hit the scene, with Monero-mining as the stated goal. However, more damaging follow-on attacks are likely the endgame.
The bad code is a Python-based cryptocurrency mining malware, according to Fortinet’s FortiGuard Labs, which first discovered it this month. Because the ...

CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining
Fireeye Threat Research • by Rakesh Sharma, Akhil Reddy, Kimberly Goody • 15 Feb 2018

Introduction
FireEye researchers recently observed threat actors abusing CVE-2017-10271 to deliver various cryptocurrency miners.
CVE-2017-10271 is a known input validation vulnerability that exists in the WebLogic Server Security Service (WLS Security) in Oracle WebLogic Server versions 12.2.1.2.0 and prior, and attackers can exploit it to remotely execute arbitrary code. Oracle released a Critical Patch Update that reportedly fixes this vulnerability. Users who failed to patch thei...

Smominru Botnet Infected Over 500,000 Windows Machines
BleepingComputer • Catalin Cimpanu • 01 Feb 2018

Over 526,000 Windows computers —mainly Windows servers— have been infected with Monero mining software by a group that operates the biggest such botnet known to date.
This group's operations have been known to security researchers since last year, and various companies have published reports on its activity. Because the botnet is so massive and widespread, most previous reports covered only a fraction of the group's entire operation.
The most recent reports that have gotten to th...

EternalBlue Exploit Used in Retefe Banking Trojan Campaign
Threatpost • Tom Spring • 22 Sep 2017

Criminals behind the Retefe banking Trojan have added a new component to their malware that uses the NSA exploit EternalBlue.
The update makes Retefe the latest malware family to adopt the SMBv1 attack against a patched Windows vulnerability, and could signal an emerging trend, said researchers at Proofpoint. Earlier this year, researchers at Flashpoint observed the TrickBot banking Trojan had added an EternalBlue module as well.
While Retefe has never reached the scale or reputation...

"Eternal Blues" Tool Tests Computers Against NSA's ETERNALBLUE Exploit
BleepingComputer • Catalin Cimpanu • 30 Jun 2017

Security researcher Elad Erez has created a tool named Eternal Blues that system administrators can use to test if computers on their network are vulnerable to exploitation via NSA's ETERNALBLUE exploit.
Erez released his tool on Wednesday, a day after the NotPetya ransomware caused damages to thousands of computers across the globe.
Just like WannaCry did in last month's outbreak, NotPetya also used ETERNALBLUE as a means to spread from one computer to the next.
In hacking and...

EternalBlue NSA Exploit Becomes Commodity Hacking Tool, Spreads to Other Malware
BleepingComputer • Catalin Cimpanu • 03 Jun 2017

ETERNALBLUE, an alleged NSA exploit targeting the SMBv1 protocol leaked by the Shadow Brokers in mid-April, has become a commodity hacking tool among malware developers.
The tool's notoriety comes from its successful usage as part of the WannaCry ransomware's self-spreading mechanism, where it was deployed alongside another NSA hacking tool called DOUBLEPULSAR to help WannaCry infect random computers via unprotected SMB services.
After WannaCry has become the most infamous cyber-inci...

WannaCrypt ransomware snatches NSA exploit, fscks over Telefónica, other orgs in Spain
The Register • John Leyden • 12 May 2017

EternalBlue now an eternal headache

Updated Workers at Telefónica's Madrid headquarters were left staring at their screen on Friday following a ransomware outbreak.
Telefónica was one of several victims of a widespread file-encrypting ransomware outbreak, El Pais reports. Telefónica has confirmed the epidemic on its intranet while downplaying its seriousness, saying everything was under control. Fixed and mobile telephony services provided by the firm have not been affected.
Other Spanish targets of the attack repor...