Leaked NSA exploits work on all Windows versions since 2000

Pro

Image: Microsoft

6 February 2018

Three US National Security Agency (NSA) exploits previously leaked by The Shadow Brokers have been tweaked so they now work on all vulnerable Windows 2000 through Server 2016 targets, as well as standard and workstation counterparts.

Before this, EternalSynergy, EternalRomance, and EternalChampion had partially been used in the NotPetya cyber attack. However, they had not been used by malicious actors nearly as much as EternalBlue because they did not work on recent Windows versions. That has now changed thanks to RiskSense security researcher Sean Dillon (aka @zerosum0x0), who ported the Microsoft Server Message Block (SMB) exploits to work on Windows versions released over the past 18 years.

Can you judge by a disclaimer how much reworked exploits might wreck your digital world? Dillon’s disclaimer warned:

“This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorised. Authors and project maintainers are not responsible or liable for misuse of the software. Use responsibly.”

MS17-010 #EternalSynergy #EternalRomance #EternalChampion exploit and auxiliary modules for @Metasploit. Support for Windows 2000 through 2016. I basically bolted MSF psexec onto @sleepya_ zzz_exploit. https://t.co/UnGA1u4gWe pic.twitter.com/Y9SMFJguH1

— zǝɹosum0x0🦉 (@zerosum0x0) January 29, 2018

The “new and improved” versions of these exploits were ported to the Metasploit Framework.

How the exploits work
Tripwire explained, “Each of the revised exploits boast remote command and code execution modules that rely on the zzz_exploit adaptation in that they exploit the SMB connection session structures to gain Admin/SYSTEM access. Unlike EternalBlue, EternalSynergy, EternalRomance, and EternalChampion do not use kernel shellcode to stage Meterpreter. Someone could still stage Meterpreter, a payload which comes with the Metasploit penetration testing software, but they would likely need to evade their payloads.”

While that does not mean this is the end for EternalBlue, Dillon noted, “This module is highly reliable and preferred over EternalBlue where a Named Pipe is accessible for anonymous logins (generally, everything pre-Vista, and relatively common for domain computers in the wild).”

Security researcher Kevin Beaumont tried it out and added that it is reliable and does not cause a Blue Screen of Death like EternalBlue does.

Big one: SMB exploit (fixed in MS17-010+) now ported to Windows 2000 up to Windows Server 2016, and all versions in between. Reliable, doesn't cause BSOD like EternalBlue either. I've tried on Win2000 and XP. https://t.co/EZ96eFsV5C

— Kevin Beaumont (@GossiTheDog) January 29, 2018

According to Heimdal Security, “Instead of going for injecting a shellcode into a target system and taking control over it, attackers will try to overwrite the SMB (Server Message Block) connection session structures to gain admin rights over the system.”

Dillon added, “Unlike EternalBlue, the exploit module will drop to disk (or use a PowerShell command).”

In the span of a few short days, the newly modified exploits became two of the most popular tested modules for Metasploit.

exploit/windows/smb/ms17_010_psexec and auxiliary/admin/smb/ms17_010_command are now surely two of the most vigorously tested modules in all of @Metasploit. Thanks to everyone who helped! Should land to master branch soon… pic.twitter.com/NKy8nopF9p

advertisement

— zǝɹosum0x0🦉 (@zerosum0x0) February 2, 2018

“It is worth mentioning that these exploits could have self-replicate abilities that enable to spread fast and impact lots of machines, so we urge you to apply all software patches available,” wrote Heimdal Security.

Microsoft issued a patch in March 2017. If you haven’t deployed the fixes on your box yet, then it would be wise to do so now.

Versions of Windows that can be exploited
The reworked NSA exploits work on all unpatched versions, 32-bit and 64-bit architectures, of Windows since 2000. Dillon included this list of supported versions of Windows that can be exploited: