https://github.com/worawit/MS17-010

MS17-010
https://github.com/worawit/MS17-010

Last synced: 1 day ago
JSON representation

MS17-010

• Host: GitHub
• URL: https://github.com/worawit/MS17-010
• Owner: worawit
• Created: 2017-06-19T16:47:31.000Z (over 8 years ago)
• Default Branch: master
• Last Pushed: 2023-06-20T08:27:19.000Z (over 2 years ago)
• Last Synced: 2025-05-29T07:29:04.994Z (6 months ago)
• Language: Python
• Size: 122 KB
• Stars: 2,190
• Watchers: 83
• Forks: 1,098
• Open Issues: 36
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• security-study-tutorial - MS17-010

README

          
# MS17-010

This repository is for public my work on MS17-010. I have no plan to do any support. **All support issues will not get response from me**.

## Files

 * **BUG.txt** MS17-010 bug detail and some analysis

 * **checker.py** Script for finding accessible named pipe

 * **eternalblue_exploit7.py** Eternalblue exploit for windows 7/2008

 * **eternalblue_exploit8.py** Eternalblue exploit for windows 8/2012 x64

 * **eternalblue_poc.py** Eternalblue PoC for buffer overflow bug

 * **eternalblue_kshellcode_x64.asm** x64 kernel shellcode for my Eternalblue exploit. This shellcode should work on Windows Vista and later

 * **eternalblue_kshellcode_x86.asm** x86 kernel shellcode for my Eternalblue exploit. This shellcode should work on Windows Vista and later

 * **eternalblue_sc_merge.py** Script for merging eternalblue x86 and x64 shellcode. Eternalblue exploit, that support both x86 and x64, with merged shellcode has no need to detect a target architecture

 * **eternalchampion_leak.py** Eternalchampion PoC for leaking info part

 * **eternalchampion_poc.py** Eternalchampion PoC for controlling RIP

 * **eternalchampion_poc2.py** Eternalchampion PoC for getting code execution

 * **eternalromance_leak.py** Eternalromance PoC for leaking info part

 * **eternalromance_poc.py** Eternalromance PoC for OOB write

 * **eternalromance_poc2.py** Eternalromance PoC for controlling a transaction which leading to arbitrary read/write

 * **eternalsynergy_leak.py** Eternalsynergy PoC for leaking info part

 * **eternalsynergy_poc.py** Eternalsynergy PoC for demonstrating heap spraying with large paged pool

 * **infoleak_uninit.py** PoC for leaking info from uninitialized transaction data buffer

 * **mysmb.py** Extended Impacket SMB class for easier to exploit MS17-010 bugs

 * **npp_control.py** PoC for controlling nonpaged pool allocation with session setup command

 * **zzz_exploit.py** Exploit for Windows 2000 and later (requires access to named pipe)

## Anonymous user

Anonymous user (null session) get more restriction on default settings of new Windows version. To exploit Windows SMB without authentication, below behavior should be aware.

* Since Windows Vista, default settings does not allow anonymous to access any named pipe

* Since Windows 8, default settings does not allow anonymous to access IPC$ share (IPC$ might be acessible but cannot do much)

## About NSA exploits

* **Eternalblue** requires only access to IPC$ to exploit a target while other exploits require access to named pipe too. So the exploit always works against Windows < 8 in all configuration (if tcp port 445 is accessible). However, Eternalblue has a chance to crash a target higher than other exploits.

* **Eternalchampion** requires access to named pipe. The exploit has no chance to crash a target.

* **Eternalromance** requires access to named pipe. The exploit can target Windows < 8 because the bug for info leak is fixed in Windows 8. The exploit should have a chance to crash a target lower than Eternalblue. I never test a reliable of the exploit.

* **Eternalsynergy** requires access to named pipe. I believe this exploit is modified from Eternalromance to target Windows 8 and later. Eternalsynergy uses another bug for info leak and does some trick to find executable memory (I do not know how it works because I read only output log and pcap file).