NSA exploits leaked by hackers tweaked to work on all versions of Windows since 2000
A trio of NSA exploits leaked by hacking group TheShadowBrokers has been ported to work on all versions of Windows since Windows 2000.
The EternalChampion, EternalRomance and EternalSynergy exploits were made public by the group last year, and now a security researcher has tweaked the source code so they will run on nearly two decades' worth of Microsoft operating systems -- both 32- and 64-bit variants.
- Kaspersky says it accidentally obtained secret NSA files from a US computer
- Report: Russian hackers stole NSA files after identifying them using Kaspersky software
- TheShadowBrokers group returns with NSA UNITEDRAKE hacking malware and promises more leaks
Sean Dillon from RiskSense -- who goes by the name @zerosum0x0 on Twitter -- modified the exploits to take advantage of the CVE-2017-0143 and CVE-2017-0146 vulnerabilities. He merged the exploits into open-source penetration testing project the Metasploit Framework.
The tweaked exploits can be run on a huge number of unpatched Windows systems, as Dillon shared on Twitter:
exploit/windows/smb/ms17_010_psexec and auxiliary/admin/smb/ms17_010_command are now surely two of the most vigorously tested modules in all of @Metasploit. Thanks to everyone who helped! Should land to master branch soon... pic.twitter.com/NKy8nopF9p
— zǝɹosum0x0? (@zerosum0x0) February 2, 2018
Releasing his code to GitHub, Dillon says:
This module is highly reliable and preferred over EternalBlue where a Named Pipe is accessible for anonymous logins (generally, everything pre-Vista, and relatively common for domain computers in the wild).
He goes on to say:
Instead of going for shellcode execution, it overwrites the SMB connection session structures to gain Admin/SYSTEM session. The MSF module is leaner (stripped down packet count/padding), checks extra named pipes, sprinkles randomness where possible, and has Metasploit's psexec DCERPC implementation bolted onto it.