A trio of NSA exploits leaked by hacking group TheShadowBrokers has been ported to work on all versions of Windows since Windows 2000.
The EternalChampion, EternalRomance and EternalSynergy exploits were made public by the group last year, and now a security researcher has tweaked the source code so they will run on nearly two decades' worth of Microsoft operating systems -- both 32- and 64-bit variants.
Sean Dillon from RiskSense -- who goes by the name @zerosum0x0 on Twitter -- modified the exploits to take advantage of the CVE-2017-0143 and CVE-2017-0146 vulnerabilities. He merged the exploits into open-source penetration testing project the Metasploit Framework.
The tweaked exploits can be run on a huge number of unpatched Windows systems, as Dillon shared on Twitter:
Releasing his code to GitHub, Dillon says:
This module is highly reliable and preferred over EternalBlue where a Named Pipe is accessible for anonymous logins (generally, everything pre-Vista, and relatively common for domain computers in the wild).
He goes on to say:
Instead of going for shellcode execution, it overwrites the SMB connection session structures to gain Admin/SYSTEM session. The MSF module is leaner (stripped down packet count/padding), checks extra named pipes, sprinkles randomness where possible, and has Metasploit's psexec DCERPC implementation bolted onto it.