Oh, good, three NSA exploits previously leaked by The Shadow Brokers have been tweaked so they now work on all vulnerable Windows 2000 through Server 2016 targets, as well as standard and workstation counterparts.
Before this, EternalSynergy, EternalRomance, and EternalChampion had partially been used in the NotPetya cyber attack. However, they had not been used by malicious actors nearly as much as EternalBlue because they didn’t work on recent Windows versions. That has now changed thanks to RiskSense security researcher Sean Dillon, aka @zerosum0x0, who ported the Microsoft Server Message Block (SMB) exploits to work on Windows versions released over the past 18 years.
Can you judge by a disclaimer how much reworked exploits might wreck your digital world? Dillon’s disclaimer warned:
This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Authors and project maintainers are not responsible or liable for misuse of the software. Use responsibly.
MS17-010 #EternalSynergy #EternalRomance #EternalChampion exploit and auxiliary modules for @Metasploit. Support for Windows 2000 through 2016. I basically bolted MSF psexec onto @sleepya_ zzz_exploit. https://t.co/UnGA1u4gWe pic.twitter.com/Y9SMFJguH1
— zǝɹosum0x0🦉 (@zerosum0x0) January 29, 2018
The “new and improved” versions of these exploits were ported to the Metasploit Framework.
How the exploits work
Tripwire explained, “Each of the revised exploits boast remote command and code execution modules that rely on the zzz_exploit adaptation in that they exploit the SMB connection session structures to gain Admin/SYSTEM access. Unlike EternalBlue, EternalSynergy, EternalRomance, and EternalChampion do not use kernel shellcode to stage Meterpreter. Someone could still stage Meterpreter, a payload which comes with the Metasploit penetration testing software, but they would likely need to evade their payloads.”
While that doesn’t mean this is the end for EternalBlue, Dillon noted, “This module is highly reliable and preferred over EternalBlue where a Named Pipe is accessible for anonymous logins (generally, everything pre-Vista, and relatively common for domain computers in the wild).”
Security researcher Kevin Beaumont tried it out and added that it is reliable and doesn’t cause a Blue Screen of Death like EternalBlue does.
Big one: SMB exploit (fixed in MS17-010+) now ported to Windows 2000 up to Windows Server 2016, and all versions in between. Reliable, doesn’t cause BSOD like EternalBlue either. I’ve tried on Win2000 and XP. https://t.co/EZ96eFsV5C
— Kevin Beaumont (@GossiTheDog) January 29, 2018
According to Heimdal Security, “Instead of going for injecting a shellcode into a target system and taking control over it, attackers will try to overwrite the SMB (Server Message Block) connection session structures to gain admin rights over the system.”
Dillon added, “Unlike EternalBlue, the exploit module will drop to disk (or use a PowerShell command).”
In the span of a few short days, the newly modified exploits became two of the most popular tested modules for Metasploit.
exploit/windows/smb/ms17_010_psexec and auxiliary/admin/smb/ms17_010_command are now surely two of the most vigorously tested modules in all of @Metasploit. Thanks to everyone who helped! Should land to master branch soon… pic.twitter.com/NKy8nopF9p
— zǝɹosum0x0🦉 (@zerosum0x0) February 2, 2018
“It is worth mentioning that these exploits could have self-replicate abilities that enable to spread fast and impact lots of machines, so we urge you to apply all software patches available,” wrote Heimdal Security.
Microsoft issued a patch in March 2017. If you haven’t deployed the fixes on your box yet, then it would be wise to do so now.
Versions of Windows that can be exploited
The reworked NSA exploits work on all unpatched versions, 32-bit and 64-bit architectures, of Windows since 2000. Dillon included this list of supported versions of Windows that can be exploited:
- Windows 2000 SP0 x86
- Windows 2000 Professional SP4 x86
- Windows 2000 Advanced Server SP4 x86
- Windows XP SP0 x86
- Windows XP SP1 x86
- Windows XP SP2 x86
- Windows XP SP3 x86
- Windows XP SP2 x64
- Windows Server 2003 SP0 x86
- Windows Server 2003 SP1 x86
- Windows Server 2003 Enterprise SP 2 x86
- Windows Server 2003 SP1 x64
- Windows Server 2003 R2 SP1 x86
- Windows Server 2003 R2 SP2 x86
- Windows Vista Home Premium x86
- Windows Vista x64
- Windows Server 2008 SP1 x86
- Windows Server 2008 x64
- Windows 7 x86
- Windows 7 Ultimate SP1 x86
- Windows 7 Enterprise SP1 x86
- Windows 7 SP0 x64
- Windows 7 SP1 x64
- Windows Server 2008 R2 x64
- Windows Server 2008 R2 SP1 x64
- Windows 8 x86
- Windows 8 x64
- Windows Server 2012 x64
- Windows 8.1 Enterprise Evaluation 9600 x86
- Windows 8.1 SP1 x86
- Windows 8.1 x64
- Windows 8.1 SP1 x64
- Windows Server 2012 R2 x86
- Windows Server 2012 R2 Standard 9600 x64
- Windows Server 2012 R2 SP1 x64
- Windows 10 Enterprise 10.10240 x86
- Windows 10 Enterprise 10.10240 x64
- Windows 10 10.10586 x86
- Windows 10 10.10586 x64
- Windows Server 2016 10.10586 x64
- Windows 10 10.0.14393 x86
- Windows 10 Enterprise Evaluation 10.14393 x64
- Windows Server 2016 Data Center 10.14393 x64