{"id":32998749,"url":"https://github.com/worawit/MS17-010","last_synced_at":"2025-11-18T07:02:06.225Z","repository":{"id":37405393,"uuid":"94799350","full_name":"worawit/MS17-010","owner":"worawit","description":"MS17-010","archived":false,"fork":false,"pushed_at":"2023-06-20T08:27:19.000Z","size":125,"stargazers_count":2190,"open_issues_count":36,"forks_count":1098,"subscribers_count":83,"default_branch":"master","last_synced_at":"2025-05-29T07:29:04.994Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/worawit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2017-06-19T16:47:31.000Z","updated_at":"2025-05-26T11:51:10.000Z","dependencies_parsed_at":"2022-07-12T12:50:31.039Z","dependency_job_id":"206cffc6-5312-40e0-aee2-59e796e7b4e9","html_url":"https://github.com/worawit/MS17-010","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/worawit/MS17-010","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/worawit%2FMS17-010","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/worawit%2FMS17-010/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/worawit%2FMS17-010/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/worawit%2FMS17-010/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/worawit","download_url":"https://codeload.github.com/worawit/MS17-010/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/worawit%2FMS17-010/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":285020583,"owners_count":27101228,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-11-18T02:00:05.759Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-11-13T13:00:24.906Z","updated_at":"2025-11-18T07:02:06.219Z","avatar_url":"https://github.com/worawit.png","language":"Python","funding_links":[],"categories":["Tools"],"sub_categories":["Exploiter"],"readme":"# MS17-010\n\nThis repository is for public my work on MS17-010. I have no plan to do any support. **All support issues will not get response from me**.\n\n## Files\n\n * **BUG.txt** MS17-010 bug detail and some analysis\n * **checker.py** Script for finding accessible named pipe\n * **eternalblue_exploit7.py** Eternalblue exploit for windows 7/2008\n * **eternalblue_exploit8.py** Eternalblue exploit for windows 8/2012 x64\n * **eternalblue_poc.py** Eternalblue PoC for buffer overflow bug\n * **eternalblue_kshellcode_x64.asm** x64 kernel shellcode for my Eternalblue exploit. This shellcode should work on Windows Vista and later\n * **eternalblue_kshellcode_x86.asm** x86 kernel shellcode for my Eternalblue exploit. This shellcode should work on Windows Vista and later\n * **eternalblue_sc_merge.py** Script for merging eternalblue x86 and x64 shellcode. Eternalblue exploit, that support both x86 and x64, with merged shellcode has no need to detect a target architecture\n * **eternalchampion_leak.py** Eternalchampion PoC for leaking info part\n * **eternalchampion_poc.py** Eternalchampion PoC for controlling RIP\n * **eternalchampion_poc2.py** Eternalchampion PoC for getting code execution\n * **eternalromance_leak.py** Eternalromance PoC for leaking info part\n * **eternalromance_poc.py** Eternalromance PoC for OOB write\n * **eternalromance_poc2.py** Eternalromance PoC for controlling a transaction which leading to arbitrary read/write\n * **eternalsynergy_leak.py** Eternalsynergy PoC for leaking info part\n * **eternalsynergy_poc.py** Eternalsynergy PoC for demonstrating heap spraying with large paged pool\n * **infoleak_uninit.py** PoC for leaking info from uninitialized transaction data buffer\n * **mysmb.py** Extended Impacket SMB class for easier to exploit MS17-010 bugs\n * **npp_control.py** PoC for controlling nonpaged pool allocation with session setup command\n * **zzz_exploit.py** Exploit for Windows 2000 and later (requires access to named pipe)\n\n\n## Anonymous user\n\nAnonymous user (null session) get more restriction on default settings of new Windows version. To exploit Windows SMB without authentication, below behavior should be aware.\n\n* Since Windows Vista, default settings does not allow anonymous to access any named pipe\n* Since Windows 8, default settings does not allow anonymous to access IPC$ share (IPC$ might be acessible but cannot do much)\n\n\n## About NSA exploits\n\n* **Eternalblue** requires only access to IPC$ to exploit a target while other exploits require access to named pipe too. So the exploit always works against Windows \u003c 8 in all configuration (if tcp port 445 is accessible). However, Eternalblue has a chance to crash a target higher than other exploits.\n* **Eternalchampion** requires access to named pipe. The exploit has no chance to crash a target.\n* **Eternalromance** requires access to named pipe. The exploit can target Windows \u003c 8 because the bug for info leak is fixed in Windows 8. The exploit should have a chance to crash a target lower than Eternalblue. I never test a reliable of the exploit.\n* **Eternalsynergy** requires access to named pipe. I believe this exploit is modified from Eternalromance to target Windows 8 and later. Eternalsynergy uses another bug for info leak and does some trick to find executable memory (I do not know how it works because I read only output log and pcap file).\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fworawit%2FMS17-010","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fworawit%2FMS17-010","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fworawit%2FMS17-010/lists"}