module
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
| Disclosed | Created |
|---|---|
| 03/14/2017 | 06/14/2018 |
Disclosed
03/14/2017
Created
06/14/2018
Description
This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where
primitive. This will then be used to overwrite the connection session information with as an
Administrator session. From there, the normal psexec command execution is done.
Exploits a type confusion between Transaction and WriteAndX requests and a race condition in
Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy
exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a
named pipe.
primitive. This will then be used to overwrite the connection session information with as an
Administrator session. From there, the normal psexec command execution is done.
Exploits a type confusion between Transaction and WriteAndX requests and a race condition in
Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy
exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a
named pipe.
Authors
sleepyazerosum0x0Shadow BrokersEquation Group
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use auxiliary/admin/smb/ms17_010_command
msf /(d) > show actions
...actions...
msf /(d) > set ACTION < action-name >
msf /(d) > show options
...show and set options...
msf /(d) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.