4.3
MEDIUM

CVE-2017-0147

Published: 17/03/2017 Updated: 21/06/2018
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2

Vulnerability Summary

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote malicious users to obtain sensitive information from process memory via a crafted packets, aka "Windows SMB Information Disclosure Vulnerability."

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
Access Complexity: MEDIUM
Authentication: NONE
Access Vector: NETWORK
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Vulnerability Trend

Affected Products

Vendor Product Versions
MicrosoftServer Message Block1.0

ICS Advisories

Exploits

## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## # Windows XP systems that are not part of a domain default to treating all # network logons as if they were Guest This prevents SMB relay attacks from # gaining administrative access to these systems This sett ...
## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## # auxiliary/scanner/smb/smb_ms_17_010 require 'msf/core' class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::SMB::Client include Msf::Exploit::Remote::SMB::Client::Authenticated inc ...
# Exploit Author: Juan Sacco <juansacco@kpncom> at KPN Red Team - wwwkpncom # Date and time of release: May, 9 2017 - 13:00PM # Found this and more exploits on my open source security project: wwwexploitpackcom # # MS17-010 - technetmicrosoftcom/en-us/library/security/ms17-010aspx # Tested on: Microsoft Wind ...

Metasploit Modules

MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec payload code execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.

msf > use exploit/windows/smb/ms17_010_psexec
      msf exploit(ms17_010_psexec) > show targets
            ...targets...
      msf exploit(ms17_010_psexec) > set TARGET <target-id>
      msf exploit(ms17_010_psexec) > show options
            ...show and set options...
      msf exploit(ms17_010_psexec) > exploit
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution

This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec command execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.

msf > use auxiliary/admin/smb/ms17_010_command
      msf auxiliary(ms17_010_command) > show actions
            ...actions...
      msf auxiliary(ms17_010_command) > set ACTION <action-name>
      msf auxiliary(ms17_010_command) > show options
            ...show and set options...
      msf auxiliary(ms17_010_command) > run
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption

This module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original may not trigger 100% of the time, and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again. The module will attempt to use Anonymous login, by default, to authenticate to perform the exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use those instead. On some systems, this module may cause system instability and crashes, such as a BSOD or a reboot. This may be more likely with some payloads.

msf > use exploit/windows/smb/ms17_010_eternalblue
      msf exploit(ms17_010_eternalblue) > show targets
            ...targets...
      msf exploit(ms17_010_eternalblue) > set TARGET <target-id>
      msf exploit(ms17_010_eternalblue) > show options
            ...show and set options...
      msf exploit(ms17_010_eternalblue) > exploit
MS17-010 SMB RCE Detection

Uses information disclosure to determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is "STATUS_INSUFF_SERVER_RESOURCES", the machine does not have the MS17-010 patch. If the machine is missing the MS17-010 patch, the module will check for an existing DoublePulsar (ring 0 shellcode/malware) infection. This module does not require valid SMB credentials in default server configurations. It can log on as the user "\" and connect to IPC$.

msf > use auxiliary/scanner/smb/smb_ms17_010
      msf auxiliary(smb_ms17_010) > show actions
            ...actions...
      msf auxiliary(smb_ms17_010) > set ACTION <action-name>
      msf auxiliary(smb_ms17_010) > show options
            ...show and set options...
      msf auxiliary(smb_ms17_010) > run

Github Repositories

#EBEK--EternalBlue-EK EternalBlue EternalSynergy EternalRomance EternalChampion :: CVE List :: CVE-2017-0143 CVE-2017-0144 CVE-2017-0145 CVE-2017-0146 CVE-2017-0147 CVE-2017-0148 :: Tested On :: Windows XP SP3 x86 Windows XP SP2 x64 Windows 7 SP1 x86 Windows 7 SP1 x64 Windows 81 x86 Windows 81 x64 Windows 10 Pro Build 10240 x64 Windows Server 2000 SP4 x86 Wi

Утилита для проверки наличия установленного обновления MS17-010 Утилита позволяет быстро провести анализ сети на наличие хостов, на которых отсутствует обновление MS17-010 Это обновление закрывает уязвимости CVE-2

SecScripts A Bunch of Scripts Which Look at Fixing Security Vulnerabilities otherwise delaying an attack Available Scripts Name (Directory) CVE/Vulnerabilty Also Known As Description Affects MSB-MS17-010 CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, CVE-2017-0148 EternalBlue (NSA), WannaCrypt/WannaCry/WCry/WannaCrypt0r (Used as an Exploit fo

-EBEKv20 ########### EBEKv20 Updates and Changes: Multi-Threading fixed and optimized Scan from IP text list (Optimized for masscan use) Added payload option for PS1 New scan mode added to continually scan and repeat list Scan is much faster ########### EternalBlue_EK EternalBlue EternalSynergy EternalRomance EternalChampion :: CVE List :: CVE-2017-0143 CVE-2017-0144

#EBEK-Manual_Mode Exploit EternalBlue EternalSynergy EternalRomance EternalChampion :: CVE List :: CVE-2017-0143 CVE-2017-0144 CVE-2017-0145 CVE-2017-0146 CVE-2017-0147 CVE-2017-0148 :: Tested On :: Windows XP SP3 x86 Windows XP SP2 x64 Windows 7 SP1 x86 Windows 7 SP1 x64 Windows 81 x86 Windows 81 x64 Windows 10 Pro Build 10240 x64 Windows Server 2000 SP4 x86 Windows

#EBEK--EternalBlue-EK EternalBlue EternalSynergy EternalRomance EternalChampion :: CVE List :: CVE-2017-0143 CVE-2017-0144 CVE-2017-0145 CVE-2017-0146 CVE-2017-0147 CVE-2017-0148 :: Tested On :: Windows XP SP3 x86 Windows XP SP2 x64 Windows 7 SP1 x86 Windows 7 SP1 x64 Windows 81 x86 Windows 81 x64 Windows 10 Pro Build 10240 x64 Windows Server 2000 SP4 x86 Wi

MS17-010 SMB Remote Code Execution (MS17-010) Exploit CVE CVE-2017-0143 CVE-2017-0144 CVE-2017-0145 CVE-2017-0146 CVE-2017-0147 CVE-2017-0148

SMB-CVE CVE listings for Windows SMB vulnerabilities SMB Server Vulnerabilities These could be in any of the SMB drivers and their supporting services Bulletin Type CVE Description MS02-070RCECAN-2002-1256Flaw in SMB Signing Could Enable Group Policy to be Modified MS03-024RCECAN-2003-0345Buffer overflow in the SMB capability

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :

Recent Articles

WannaCrypt ransomware snatches NSA exploit, fscks over Telefónica, other orgs in Spain
The Register • John Leyden • 12 May 2017

EternalBlue now an eternal headache

Updated Workers at Telefónica's Madrid headquarters were left staring at their screen on Friday following a ransomware outbreak.
Telefónica was one of several victims of a widespread file-encrypting ransomware outbreak, El Pais reports. Telefónica has confirmed the epidemic on its intranet while downplaying its seriousness, saying everything was under control. Fixed and mobile telephony services provided by the firm have not been affected.
Other Spanish targets of the attack repor...

ShadowBrokers’ Windows Zero-Days Already Patched
Threatpost • Michael Mimoso • 17 Apr 2017

Hours after what was thought to be a damaging release of NSA hacking tools for Windows systems, Microsoft quelled some anxiety with a late-night statement on Friday that most of the vulnerabilities disclosed by the ShadowBrokers had already been patched.
The biggest surprise was that the most recent updates came in March in a bulletin, MS17-010, addressing six critical remote code execution vulnerabilities in Windows Server Message Block (SMB). Two of the six (CVE-2017-0146 and CVE-2017-01...

References