(MS17-010) NSA Leak Eternal Blue with DoublePulsar Payload Exploitation (SMBv1)

Share Button

The Shadow Brokers released a massive trove of Windows hacking tools and exploits allegedly stolen from NSA that works against almost all versions of Windows, from Windows 2000 and XP to Windows 7 and 8, and their server-side variants such as Server 2000, 2003, 2008, 2008 R2 and 2012, except Windows 10 and Windows Server 2016

A Github repository is the following: https://github.com/misterch0c/shadowbroker

But after analyzing the disclosed exploits, Microsoft security team says most of the windows vulnerabilities exploited by these hacking tools, including EternalBlue, EternalChampion, EternalSynergy, EternalRomance and others, are already patched in the last month’s Patch Tuesday update.

Microsoft team said in a blog post published on April 14, 2017

Among the windows exploits published by TheShadowBrokers, ETERNALBLUE is the only one that can be used to attacking Windows 7 and Windows Server 2008 without needing authentication.

For successful exploitation, I will be using FuzzBunch, The NSA’s Metasploit

Here is the Nessus scanner result for MS17-010(SMBv1)

For exploitation MS17-101, I have configured the following in my lab:

  • Windows 7 x86 – Target Machine
  • Kali Linux –Attacker machine running PowerShell Empire/Metasploit
  • Windows XP – Attacker machine running Eternal Blue and DoublePulsar

Open the command prompt and type python fb.py to launch FuzzBunch, Set the target IP address and attacker IP address.

Note: “Callback IP address” is attacker IP

Next step is to select exploit, here I have selected eternalBlue exploits

Now, let’s run the exploit and wait for the result

As expected, the eternal blue exploits has been succeeded

Now, create malicious dll to inject on to the target machine using PowerShell Empire/ Metasploit.

Type use doublepulsar payload in command prompt to use the payload

Configured malicious dll files

Launch the attack on target machine

As expected the payload is successfully injected on target machine

PowerShell empire agent received connections from the target machine

Active agents in Attacker box

Running Mimikatz on target machine

In Metasploit

After backdooring double pulsar on target machine. Nessus shows

References:

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/

http://thehackernews.com/2017/04/window-zero-day-patch.html

https://github.com/misterch0c/shadowbroker

Share Button

Be the first to comment

Leave a Reply

Your email address will not be published.


*