Several months ago (and may be it’s still continuing), many windows hosts/computers had been infected and attacked by two major Ransomware. They are Wannacry and Petya/NonPetya. Refered to wired.co.uk, The Ransowmware spread was helped by a Microsoft Windows security vulnerability called EternalBlue.
EternalBlue is an exploit generally believed to be developed by the U.S. National Security Agency (NSA). It was leaked by the Shadow Brokers hacker group on April 14, 2017, and was used as part of the worldwide WannaCry and Petya ransomware attack on May 12, 2017 and on June 27, 2017. Furthermore It was reported to be used as part of the Retefe banking trojan since at least September 5, 2017.
EternalBlue was caused by the vulnerability in Server Message Block version 1.0 at Microsoft. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.
In this post, I will show you the Proof of Concept how do the remote access to Windows 7 utilize the exploit using Metasploit. The eternalblue exploit that I used is found in Github through this link. This exploit is combination of two tools “Eternal Blue” which is use as backdooring in windows and “Doublepulsar” which is used for injecting dll file with the help of payload. After I downloaded the exploit, there was a file named Eternal Blue-Doublepulsar.rb. Firstly, I had to copy manually this file to metasploit framework directory (usr/share/metasploit Framework /module/exploits/windows/smb).
I looked up the target machine in my local network using Netdiscover.
I found that the target machine was 192.168.100.7 (Vmware,Inc). Then I scanned the machine using nmap.
Fortunately, the machine was really vulnerable for MS17-010 which is SMB Exploit of EternalBlue. After I believed certainly that the machine was vulnerable for EternalBlue, then I launched the exploit. The first, I injected a DLL file using msfvenom and ran the Postgresql service. My attacker machine was kali-linux3 whose the ip address was 192.168.100.8.
The I fired up the metasploit framework by launch msfconcole. And used the exploit at path exploit/windows/smb/eternalblue_doublepulsar.
From the picture above, there was several parameters which should be filled. The parameters were RHOST (the victim ip address), TARGETARCHITECTURE (the type of target machine core whether 32-bit or 64-bit). Then we should set a payload too. In this case I used payload of windows/meterpreter/reverse_tcp.
After all parameters had been set up, I launched the exploit. And fortunately the exploit was succeed to exploit the machine. It gave me an open session to fire up the machine.
The important questions are how to protect our computer from this exploit. The answer is we should update and install the patches to our windows. The patches had been released by microsoft through this link.
Thus a small PoC from Sudokom, Hopely it can give you some benefit effects for securing your devices. Thanks.