MS17-010/README.md

# MS17-010

This repository is for public my work on MS17-010. I have no plan to do any support. **All support issues will not get response from me**.

## Files

 * **BUG.txt** MS17-010 bug detail and some analysis
 * **eternalblue_exploit7.py** Eternalblue exploit for windows 7/2008
 * **eternalblue_exploit8.py** Eternalblue exploit for windows 8/2012 x64
 * **eternalblue_poc.py** Eternalblue PoC for buffer overflow bug
 * **eternalblue_kshellcode_x64.asm** x64 kernel shellcode for my Eternalblue exploit. This shellcode should work on Windows Vista (maybe XP) and later 
 * **eternalblue_kshellcode_x86.asm** x86 kernel shellcode for my Eternalblue exploit. This shellcode should work on Windows Vista (maybe XP) and later
 * **eternalblue_sc_merge.py** Script for merging eternalblue x86 and x64 shellcode. Eternalblue exploit, that support both x86 and x64, with merged shellcode has no need to detect a target architecture
 * **eternalchampion_leak.py** Eternalchampion PoC for leaking info part
 * **eternalchampion_poc.py** Eternalchampion PoC for controlling RIP
 * **eternalchampion_poc2.py** Eternalchampion PoC for getting code execution
 * **eternalromance_leak.py** Eternalromance PoC for leaking info part
 * **eternalromance_poc.py** Eternalromance PoC for OOB write
 * **eternalromance_poc2.py** Eternalromance PoC for controlling a transaction which leading to arbitrary read/write
 * **eternalsynergy_leak.py** Eternalsynergy PoC for leaking info part
 * **eternalsynergy_poc.py** Eternalsynergy PoC for demonstrating heap spraying with large paged pool
 * **infoleak_uninit.py** PoC for leaking info from uninitialized transaction data buffer
 * **mysmb.py** Extended Impacket SMB class for easier to exploit MS17-010 bugs
 * **npp_control.py** PoC for controlling nonpaged pool allocation with session setup command
 * **zzz_exploit.py** Exploit for Windows7 and later (x64 only and requires access to named pipe)


## Anonymous user

Anonymous user (null session) get more restriction on default settings of new Windows version. To exploit Windows SMB without authentication, below behavior should be aware.

* Since Windows Vista (maybe Windows 2003 SPx), default settings does not allow anonymous to access any named pipe
* Since Windows 8, default settings does not allow anonymous to access IPC$ share (IPC$ might be acessible but cannot do much)


## About NSA exploits

* **Eternalblue** requires only access to IPC$ to exploit a target while other exploits require access to named pipe too. So the exploit always works against Windows < 8 in all configuration (if tcp port 445 is accessible). However, Eternalblue has a chance to crash a target higher than other exploits.
* **Eternalchampion** requires access to named pipe. The exploit has no chance to crash a target.
* **Eternalromance** requires access to named pipe. The exploit can target Windows < 8 because the bug for info leak is fixed in Windows 8. The exploit should have a chance to crash a target lower than Eternalblue (except large paged groom method). I never test a reliable of the exploit.
* **Eternalsynergy** requires access to named pipe. I believe this exploit is modified from Eternalromance to target Windows 8 and later. Eternalsynergy uses another bug for info leak and does some trick to find executable memory (I do not know how it works because I read only output log and pcap file).
Update README.md 2017-06-21 21:07:51 +07:00			`# MS17-010`

			`This repository is for public my work on MS17-010. I have no plan to do any support. All support issues will not get response from me.`

Update README.md 2017-06-20 20:27:52 +07:00			`## Files`
Initial upload 2017-06-20 00:08:35 +07:00
			`* BUG.txt MS17-010 bug detail and some analysis`
			`* eternalblue_exploit7.py Eternalblue exploit for windows 7/2008`
			`* eternalblue_exploit8.py Eternalblue exploit for windows 8/2012 x64`
fix typo 2017-06-20 00:10:22 +07:00			`* eternalblue_poc.py Eternalblue PoC for buffer overflow bug`
Update README.md 2017-06-20 20:27:52 +07:00			`* eternalblue_kshellcode_x64.asm x64 kernel shellcode for my Eternalblue exploit. This shellcode should work on Windows Vista (maybe XP) and later`
			`* eternalblue_kshellcode_x86.asm x86 kernel shellcode for my Eternalblue exploit. This shellcode should work on Windows Vista (maybe XP) and later`
			`* eternalblue_sc_merge.py Script for merging eternalblue x86 and x64 shellcode. Eternalblue exploit, that support both x86 and x64, with merged shellcode has no need to detect a target architecture`
Initial upload 2017-06-20 00:08:35 +07:00			`* eternalchampion_leak.py Eternalchampion PoC for leaking info part`
			`* eternalchampion_poc.py Eternalchampion PoC for controlling RIP`
			`* eternalchampion_poc2.py Eternalchampion PoC for getting code execution`
			`* eternalromance_leak.py Eternalromance PoC for leaking info part`
			`* eternalromance_poc.py Eternalromance PoC for OOB write`
Update README.md 2017-06-20 20:27:52 +07:00			`* eternalromance_poc2.py Eternalromance PoC for controlling a transaction which leading to arbitrary read/write`
Initial upload 2017-06-20 00:08:35 +07:00			`* eternalsynergy_leak.py Eternalsynergy PoC for leaking info part`
Update README.md 2017-06-25 23:50:56 +07:00			`* eternalsynergy_poc.py Eternalsynergy PoC for demonstrating heap spraying with large paged pool`
Initial upload 2017-06-20 00:08:35 +07:00			`* infoleak_uninit.py PoC for leaking info from uninitialized transaction data buffer`
			`* mysmb.py Extended Impacket SMB class for easier to exploit MS17-010 bugs`
			`* npp_control.py PoC for controlling nonpaged pool allocation with session setup command`
Update README.md 2017-06-20 20:27:52 +07:00			`* zzz_exploit.py Exploit for Windows7 and later (x64 only and requires access to named pipe)`


			`## Anonymous user`

			`Anonymous user (null session) get more restriction on default settings of new Windows version. To exploit Windows SMB without authentication, below behavior should be aware.`

			`* Since Windows Vista (maybe Windows 2003 SPx), default settings does not allow anonymous to access any named pipe`
			`* Since Windows 8, default settings does not allow anonymous to access IPC$ share (IPC$ might be acessible but cannot do much)`


			`## About NSA exploits`

			`* Eternalblue requires only access to IPC$ to exploit a target while other exploits require access to named pipe too. So the exploit always works against Windows < 8 in all configuration (if tcp port 445 is accessible). However, Eternalblue has a chance to crash a target higher than other exploits.`
			`* Eternalchampion requires access to named pipe. The exploit has no chance to crash a target.`
			`* Eternalromance requires access to named pipe. The exploit can target Windows < 8 because the bug for info leak is fixed in Windows 8. The exploit should have a chance to crash a target lower than Eternalblue (except large paged groom method). I never test a reliable of the exploit.`
			`* Eternalsynergy requires access to named pipe. I believe this exploit is modified from Eternalromance to target Windows 8 and later. Eternalsynergy uses another bug for info leak and does some trick to find executable memory (I do not know how it works because I read only output log and pcap file).`