9.3
CVSSv2

CVE-2017-0144

Published: 17/03/2017 Updated: 21/06/2018
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.1 | Impact Score: 5.9 | Exploitability Score: 2.2
VMScore: 1000
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote malicious users to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.

Vulnerability Trend

Affected Products

Vendor Product Versions
MicrosoftServer Message Block1.0

ICS Advisories

Exploits

#!/usr/bin/python from impacket import smb from struct import pack import sys import socket ''' EternalBlue exploit for Windows 7/2008 by sleepya The exploit might FAIL and CRASH a target system (depended on what is overwritten) EDB Note: Shellcode - x64 ~ githubcom/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/4 ...
#!/usr/bin/python from impacket import smb, ntlm from struct import pack import sys import socket ''' EternalBlue exploit for Windows 8 and 2012 by sleepya The exploit might FAIL and CRASH a target system (depended on what is overwritten) The exploit support only x64 target EDB Note: Shellcode - x64 ~ githubcom/offensive-security/exploit ...
#!/usr/bin/python from impacket import smb, smbconnection from mysmb import MYSMB from struct import pack, unpack, unpack_from import sys import socket import time ''' MS17-010 exploit for Windows 2000 and later by sleepya EDB Note: mysmbpy can be found here ~ githubcom/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/423 ...
# Exploit Author: Juan Sacco <juansacco@kpncom> at KPN Red Team - wwwkpncom # Date and time of release: May, 9 2017 - 13:00PM # Found this and more exploits on my open source security project: wwwexploitpackcom # # MS17-010 - technetmicrosoftcom/en-us/library/security/ms17-010aspx # Tested on: Microsoft Wind ...
## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## # auxiliary/scanner/smb/smb_ms_17_010 require 'msf/core' class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::SMB::Client include Msf::Exploit::Remote::SMB::Client::Authenticated inc ...

Metasploit Modules

MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption

This module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original may not trigger 100% of the time, and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again. The module will attempt to use Anonymous login, by default, to authenticate to perform the exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use those instead. On some systems, this module may cause system instability and crashes, such as a BSOD or a reboot. This may be more likely with some payloads.

msf > use exploit/windows/smb/ms17_010_eternalblue
      msf exploit(ms17_010_eternalblue) > show targets
            ...targets...
      msf exploit(ms17_010_eternalblue) > set TARGET <target-id>
      msf exploit(ms17_010_eternalblue) > show options
            ...show and set options...
      msf exploit(ms17_010_eternalblue) > exploit
MS17-010 SMB RCE Detection

Uses information disclosure to determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is "STATUS_INSUFF_SERVER_RESOURCES", the machine does not have the MS17-010 patch. If the machine is missing the MS17-010 patch, the module will check for an existing DoublePulsar (ring 0 shellcode/malware) infection. This module does not require valid SMB credentials in default server configurations. It can log on as the user "\" and connect to IPC$.

msf > use auxiliary/scanner/smb/smb_ms17_010
      msf auxiliary(smb_ms17_010) > show actions
            ...actions...
      msf auxiliary(smb_ms17_010) > set ACTION <action-name>
      msf auxiliary(smb_ms17_010) > show options
            ...show and set options...
      msf auxiliary(smb_ms17_010) > run

Github Repositories

eternalblue vulnerable service scanner Requirement shodan python 2xx Queries port:445 "SMB Version: 1" os:Windows !product:Samba Reference from CVE-2017-0144 cvemitreorg/cgi-bin/cvenamecgi?name=cve-2017-0144

eternalblue vulnerable service scanner Requirement shodan python 2xx Queries port:445 "SMB Version: 1" os:Windows !product:Samba Reference from CVE-2017-0144 cvemitreorg/cgi-bin/cvenamecgi?name=cve-2017-0144

Project moving to gitlabcom/peterpt/Eternal_Scanner ETERNAL SCANNER 23 Eternal scanner is an network scanner for Eternal Blue exploit CVE-2017-0144 &amp; Eternal Romance (named pipe) CVE-2017-0145 Screenshots 22 Version (New Implementations) Eternal Romance Vulnerability check (escan -er) Escan Database Splited Results (escan -l) Video Eternal Scanner 2

Project moving to gitlabcom/peterpt/Eternal_Scanner ETERNAL SCANNER 23 Eternal scanner is an network scanner for Eternal Blue exploit CVE-2017-0144 &amp; Eternal Romance (named pipe) CVE-2017-0145 Screenshots 22 Version (New Implementations) Eternal Romance Vulnerability check (escan -er) Escan Database Splited Results (escan -l) Video Eternal Scanner 2

ETERNAL SCANNER 23 Eternal scanner is an network scanner for Eternal Blue exploit CVE-2017-0144 &amp; Eternal Romance (named pipe) CVE-2017-0145 Screenshots 22 Version (New Implementations) Eternal Romance Vulnerability check (escan -er) Escan Database Splited Results (escan -l) Video Eternal Scanner 20 : wwwyoutubecom/watch?v=8heVXfcywq0 Eternal Scann

ETERNAL SCANNER 23 Eternal scanner is an network scanner for Eternal Blue exploit CVE-2017-0144 &amp; Eternal Romance (named pipe) CVE-2017-0145 Screenshots 22 Version (New Implementations) Eternal Romance Vulnerability check (escan -er) Escan Database Splited Results (escan -l) Video Eternal Scanner 20 : wwwyoutubecom/watch?v=8heVXfcywq0 Eternal Scann

Утилита для проверки наличия установленного обновления MS17-010 Утилита позволяет быстро провести анализ сети на наличие хостов, на которых отсутствует обновление MS17-010 Это обновление закрывает уязвимости CVE-2

#EBEK--EternalBlue-EK EternalBlue EternalSynergy EternalRomance EternalChampion :: CVE List :: CVE-2017-0143 CVE-2017-0144 CVE-2017-0145 CVE-2017-0146 CVE-2017-0147 CVE-2017-0148 :: Tested On :: Windows XP SP3 x86 Windows XP SP2 x64 Windows 7 SP1 x86 Windows 7 SP1 x64 Windows 81 x86 Windows 81 x64 Windows 10 Pro Build 10240 x64 Windows Server 2000 SP4 x86 Wi

#EBEK--EternalBlue-EK EternalBlue EternalSynergy EternalRomance EternalChampion :: CVE List :: CVE-2017-0143 CVE-2017-0144 CVE-2017-0145 CVE-2017-0146 CVE-2017-0147 CVE-2017-0148 :: Tested On :: Windows XP SP3 x86 Windows XP SP2 x64 Windows 7 SP1 x86 Windows 7 SP1 x64 Windows 81 x86 Windows 81 x64 Windows 10 Pro Build 10240 x64 Windows Server 2000 SP4 x86 Wi

MS17-010 SMB Remote Code Execution (MS17-010) Exploit CVE CVE-2017-0143 CVE-2017-0144 CVE-2017-0145 CVE-2017-0146 CVE-2017-0147 CVE-2017-0148

SecScripts A Bunch of Scripts Which Look at Fixing Security Vulnerabilities otherwise delaying an attack Available Scripts Name (Directory) CVE/Vulnerabilty Also Known As Description Affects MSB-MS17-010 CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, CVE-2017-0148 EternalBlue (NSA), WannaCrypt/WannaCry/WCry/WannaCrypt0r (Used as an Exploit fo

-EBEKv20 ########### EBEKv20 Updates and Changes: Multi-Threading fixed and optimized Scan from IP text list (Optimized for masscan use) Added payload option for PS1 New scan mode added to continually scan and repeat list Scan is much faster ########### EternalBlue_EK EternalBlue EternalSynergy EternalRomance EternalChampion :: CVE List :: CVE-2017-0143 CVE-2017-0144

#EBEK-Manual_Mode Exploit EternalBlue EternalSynergy EternalRomance EternalChampion :: CVE List :: CVE-2017-0143 CVE-2017-0144 CVE-2017-0145 CVE-2017-0146 CVE-2017-0147 CVE-2017-0148 :: Tested On :: Windows XP SP3 x86 Windows XP SP2 x64 Windows 7 SP1 x86 Windows 7 SP1 x64 Windows 81 x86 Windows 81 x64 Windows 10 Pro Build 10240 x64 Windows Server 2000 SP4 x86 Windows

Exploit-Modules These exploits and utilities are apart of the Project-WARMIND To implement: CVE-2018-7600 CVE-2018-7602 CVE-2017-0144 CVE-2018-1002150 CVE-2018-1000300 CVE-2018-1000178 CVE-2018-1000167 CVE-2018-1000140 CVE-2018-1000118 CVE-2018-1000059 CVE-2018-1000043 CVE-2018-1000042 CVE-2018-8739 CVE-2018-8736 CVE-2018-7665

SMB-CVE CVE listings for Windows SMB vulnerabilities SMB Server Vulnerabilities These could be in any of the SMB drivers and their supporting services Bulletin Type CVE Description MS02-070RCECAN-2002-1256Flaw in SMB Signing Could Enable Group Policy to be Modified MS03-024RCECAN-2003-0345Buffer overflow in the SMB capability

Awesome Stars A curated list of my GitHub stars! Generated by starred Contents ASP Arduino Assembly AutoHotkey AutoIt Batchfile BitBake Bro C C# C++ CSS CoffeeScript Dockerfile Emacs Lisp Erlang Game Maker Language Go HTML Haskell Java JavaScript Jupyter Notebook KiCad Kotlin Logos Lua M Makefile Markdown Mask

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :

Recent Articles

PyRoMine Uses NSA Exploit for Monero Mining and Backdoors
Threatpost • Tara Seals • 26 Apr 2018

The ShadowBrokers’ release of a trove of National Security Agency exploits last year appears to be the gift that keeps on giving, to the hacker community at least: A fresh malware that uses the EternalRomance tool has hit the scene, with Monero-mining as the stated goal. However, more damaging follow-on attacks are likely the endgame.
The bad code is a Python-based cryptocurrency mining malware, according to Fortinet’s FortiGuard Labs, which first discovered it this month. Because the ...

CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining
Fireeye Threat Research • by Rakesh Sharma, Akhil Reddy, Kimberly Goody • 15 Feb 2018

Introduction
FireEye researchers recently observed threat actors abusing CVE-2017-10271 to deliver various cryptocurrency miners.
CVE-2017-10271 is a known input validation vulnerability that exists in the WebLogic Server Security Service (WLS Security) in Oracle WebLogic Server versions 12.2.1.2.0 and prior, and attackers can exploit it to remotely execute arbitrary code. Oracle released a Critical Patch Update that reportedly fixes this vulnerability. Users who failed to patch thei...

EternalBlue Exploit Used in Retefe Banking Trojan Campaign
Threatpost • Tom Spring • 22 Sep 2017

Criminals behind the Retefe banking Trojan have added a new component to their malware that uses the NSA exploit EternalBlue.
The update makes Retefe the latest malware family to adopt the SMBv1 attack against a patched Windows vulnerability, and could signal an emerging trend, said researchers at Proofpoint. Earlier this year, researchers at Flashpoint observed the TrickBot banking Trojan had added an EternalBlue module as well.
While Retefe has never reached the scale or reputation...

WannaCrypt ransomware snatches NSA exploit, fscks over Telefónica, other orgs in Spain
The Register • John Leyden • 12 May 2017

EternalBlue now an eternal headache

Updated Workers at Telefónica's Madrid headquarters were left staring at their screen on Friday following a ransomware outbreak.
Telefónica was one of several victims of a widespread file-encrypting ransomware outbreak, El Pais reports. Telefónica has confirmed the epidemic on its intranet while downplaying its seriousness, saying everything was under control. Fixed and mobile telephony services provided by the firm have not been affected.
Other Spanish targets of the attack repor...