Skip to content
This repository has been archived by the owner on Nov 4, 2023. It is now read-only.
/ MS17-010 Public archive
forked from pythonone/MS17-010

MS17-010 Windows SMB RCE -- exploits, payloads, and scanners

License

Notifications You must be signed in to change notification settings

SITCON-camp-2016/MS17-010

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

MS17-010

MS17-010 is the Microsoft security bulletin which fixes several remote code execution vulnerabilities in the SMB service on Windows systems.

There are numerous things about MS17-010 that make it esoteric, such as manipulating the Windows kernel pool heap allocations, running remote Windows ring 0 shellcode, and the intricacies of the different SMB protocol versions.

We previously improved the ExtraBacon exploit. https://github.com/RiskSense-Ops/CVE-2016-6366

Scanners

There is a Metasploit scanner and a Python port. The scanners are able to use uncredentialed information leakage to determine if the MS17-010 patch is installed on a host. If it is not installed, it will also check for a DoublePulsar infections.

Exploits

There is a Python script that can reliably infect Windows Server 2008 R2 SP1 x64 with DoublePulsar using the same technique as EternalBlue.

Payloads

Windows ring 0 shellcode is being crafted so that instead of DoublePulsar, the transition from ring 0 to ring 3 and running usermode payloads, directly with or without DLL, is done in a single step. The size of the code is also being reworked, as the original shellcode appears to be compiler output, in order to accomodate more complex userland payloads in the first stage.

Resources

Disclaimer

This code serves an important business purpose for penetration testers and others to show impact to organizations, without having to run NSA malware binaries. We must ask that you use these tools for their intended, lawful purposes, and only with consent of targets.

License

Apache 2.0 and MSF

Credits

  • @zerosum0x0
  • @jennamagius
  • @The_Naterz
  • @Aleph___Naught
  • @nixawk
  • @JukeLennings (Countercept)

Acknowledgements

  • Shadow Brokers
  • Equation Group
  • skape
  • Stephen Fewer

About

MS17-010 Windows SMB RCE -- exploits, payloads, and scanners

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Assembly 46.6%
  • Ruby 40.4%
  • Python 11.2%
  • Logos 1.8%