A security researcher has ported three leaked NSA exploits to work on all Windows versions released in the past 18 years, starting with Windows 2000.
The three exploits are EternalChampion, EternalRomance, and EternalSynergy; all three leaked last April by a hacking group known as The Shadow Brokers who claimed to have stolen the code from the NSA.
Several exploits and hacking tools were released in the April 2017 Shadow Brokers dump, the most famous being EternalBlue, the exploit used in the WannaCry, NotPetya, and Bad Rabbit ransomware outbreaks.
While EternalBlue became a favorite tool among malware authors, the Shadow Brokers dump also contained many lesser-known exploits. The reason many of these didn't become popular was that they only worked a small number of Windows versions, and did not support recent Windows distributions.
Now, RiskSense security researcher Sean Dillon (@zerosum0x0) has modified the source code for some of these lesser-known exploits so they would be able to work and run SYSTEM-level code on a wide variety of Windows OS versions.
The researcher has recently merged these modified versions of EternalChampion, EternalRomance, and EternalSynergy into the Metasploit Framework, an open-source penetration testing project.
Dillon has crafted his modified exploits to take advantage of the following vulnerabilities:
|CVE-2017-0143||Type confusion between WriteAndX and Transaction requests||EternalRomance
|CVE-2017-0146||Race condition with Transaction requests||EternalChampion
"Instead of going for shellcode execution, it overwrites the SMB connection session structures to gain Admin/SYSTEM session," Dillon says. "The [Metasploit Framework] module is leaner (stripped down packet count/padding), checks extra named pipes, sprinkles randomness where possible, and has Metasploit's psexec DCERPC implementation bolted onto it."
Dillon says his modified exploits will work on both 32-bit and 64-bit architectures. He listed the following Windows versions as supported:
Several security researchers have independently confirmed Dillon's exploit code works on these Windows versions.
exploit/windows/smb/ms17_010_psexec and auxiliary/admin/smb/ms17_010_command are now surely two of the most vigorously tested modules in all of @Metasploit. Thanks to everyone who helped! Should land to master branch soon... pic.twitter.com/NKy8nopF9p— zǝɹosum0x0 (@zerosum0x0) February 2, 2018
Users who installed the patches detailed in Microsoft security bulletin MS17-010 are protected against these exploits.
Part of Dillon's code uses a previous port of the EternalSynergy exploit created by security researcher Worawit Wang. Bleeping Computer previously covered in an article how Wang ported EternalSynergy to work on newer Windows versions.
In June 2017, Dillon also ported the EternalBlue exploit to work on Windows 10. Dillon also discovered the SMBLoris vulnerability.
Besides EternalBlue, the NotPetya and Bad Rabbit ransomware outbreaks also utilized the EternalRomance exploit that Dillon has recently ported to target a more broader spectrum of Windows versions.
Dillon also included the following disclaimed with his ports, wanting people to know the code was created to help companies identify vulnerable machines through pen-testing and develop mitigation strategies.
This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Authors and project maintainers are not responsible or liable for misuse of the software. Use responsibly.