MS17-010, the new MS08-067?

April 17, 2017

This past Good Friday, @ShadowBrokers group (https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation) leaked a number of hacking tools/exploits from the NSA’s Arsenal. This leak contained operational notes from the NSA’s actively targeting of banks in the Middle East and their collection of exploitation tools targetting Microsoft Windows systems ranging from XP to Windows 8 and Windows Server 2012.

Link for the release: https://yadi.sk/d/NJqzpqo_3GxZA4

The public exploits for Windows systems are the most concerning, as these could be used to hack into exposed and unpatched Windows systems. In a number of cases these attacks can be performed across the network by targeting SMB, RDP, IMAP, and possibly other protocols. Names have been assigned to these exploits as shown in the figure below:

Shadowbroker exploit list

Shadowbroker exploit list

Reference for image: https://github.com/misterch0c/shadowbroker

Microsoft released patches for these exploits last week under the security Advisory MS17-010 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.

We at NotSoSecure decided to test the functionality of FUZZBUNCH (a very Metasploit-esc interface) in our hacklab and to verify a few of these exploits. @rebootuser tested the ETERNALBLUE exploit and recorded the following video demonstration of the attack against an unpatched Windows 7 host.

ETERNALBLUE is an exploit that targets the SMB protocol and results in RCE if successful. Doublepulsar (seemingly a very powerful) payload was used in this attack, and DLL injection was performed using a DLL generated by msfvenom. As shown in video, successful exploitation returns a Meterpreter session to the attacker’s machine.

As per Microsoft’s blog (https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/), patches for all vulnerabilities have been released and  thus it is highly recommended that all patches (especially the recent MS17-010)  are deployed immediately.

<marketing>

If you want to learn/master advance hacking techniques, we are running two classes of our Advanced Infrastructure Hacking course at Black Hat USA 2017 and we still have a few seats available. More details below:

https://www.blackhat.com/us-17/training/advanced-infrastructure-hacking-2017-edition-4-day.html (4 day class)

https://www.blackhat.com/us-17/training/advanced-infrastructure-hacking-2017-edition-2-day.html (2 day class, fast paced)

</marketing>

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Trackback