Summary: EternalBlue exploits a vulnerability in Microsoft’s implementation of SMB. The vulnerability exists because the SMBv1 server (on various versions of Windows) mishandles specially crafted packets being sent by a remote attacker which allows them to execute arbitrary code on the victim computer.
Origins: The Equation Group is the Tailored Access Operations (TAO) department at the NSA that wrote exploits, including this one. The Shadowbrokers dumped these exploits to the public in 2017.
How it works: In essence, EternalBlue exploits a memory overflow via a malformed NT Trans2 packet header. Once the packets are reformed in memory, this allows for a jump to the malicious shellcode and therefore allowing the payload (DoublePulsar) to be executed.
DoublePulsar: When the memory overflow takes place and the shellcode is executed, that memory space is freed up and DoublePulsar itself becomes resident within SMB’s memory space without any extra process or bound port. This means that all of the processing done for DoublePulsar is done within SMB itself. It is not a persistent backdoor, meaning you will lose compromise when machine is rebooted. That being said, it is very powerful for lateral movement.
With Shodan, it’s been said that if you’re running an unpatched system on an external network, you’re probably already popped. Within 3 days of the Shadowbrokers dump, the entirety of the IPv4 address space had a 3% compromise rate. Yikes.
Three Big instances of EternalBlue:
- WannaCry Ransomware
- Adylkuzz Viral Cypto Miner – a monero miner (predates WannaCry)
- Zealot Campaign – also a monero miner.
The Metasploit method
In this example, I am running the EternalBlue exploit on HackTheBox‘s (HTB) machine named “Blue” — a VM that is specifically vulnerable to this attack.
nmap -A -p- 10.10.10.40
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-24 12:05 CDT Nmap scan report for 10.10.10.40 Host is up (0.044s latency). Not shown: 65527 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=8/24%OT=135%CT=1%CU=32274%PV=Y%DS=2%DC=T%G=Y%TM=5F43F3 OS:F3%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=109%TI=I%CI=I%II=I%SS=S%TS OS:=7)OPS(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M OS:54DNW8ST11%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=20 OS:00)ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A= OS:S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y OS:%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD OS:=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0 OS:%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1 OS:(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI OS:=N%T=80%CD=Z) Network Distance: 2 hops Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -17m16s, deviation: 34m37s, median: 2m41s | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: haris-PC | NetBIOS computer name: HARIS-PC\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2020-08-24T18:10:38+01:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-08-24T17:10:37 |_ start_date: 2020-08-24T04:01:54 TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 47.13 ms 10.10.14.1 2 47.28 ms 10.10.10.40 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 160.43 seconds
Even though we can see that our target machine is a likely candidate for this exploit (see: Windows 7 Professional 7601 Service Pack 1), we can also use metasploit to gather some information and verify that our target system is indeed vulnerable to MS17-010 (scanning the target’s system:
Other than that, it’s simply a matter of setting your RHOST/LHOST and running the exploit:
Here we can see that we came riding in on spoolsv.exe:
The Autoblue method
Step 0: Google “Autoblue github” to find 3ndG4me’s github.
Step 1: run shell_prep.sh to prepare shellcode.
Step 2: We will need to go back to the main repo directory (
cd ..) and run listener_prep.sh (which will launch metasploit)
Step 3: Run the exploit (in a separate terminal tab).
We can tab back to our metasploit to look for whether or not a session has been established.
My initial attempts were unsuccessful, but after playing around with the 4th parameter (Number of Groom Connections) I was able to open a meterpreter session.
So, in order to get success with this exploit, it may be necessary to try running it more than once with variable Groom Connections. Groom Connections are connections that are being opened up to try and chain together kernel pool memory so that we can write to the buffer from a desired location.
We can list our open sessions to connect and use our new shell.
From here I poked around the system and found the HTB flags on each of the target user’s Desktops.
To collect the flags for HackTheBox’s Blue machine, I navigated to each of the user’s Desktops where they sat in .txt files (as seen with Administrator below).