# MS17-011 **Repository Path**: csharphpython/MS17-011 ## Basic Information - **Project Name**: MS17-011 - **Description**: MS17-010 - **Primary Language**: Unknown - **License**: Not specified - **Default Branch**: master - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 0 - **Created**: 2021-10-17 - **Last Updated**: 2021-10-17 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README # MS17-010 This repository is for public my work on MS17-010. I have no plan to do any support. **All support issues will not get response from me**. ## Files * **BUG.txt** MS17-010 bug detail and some analysis * **checker.py** Script for finding accessible named pipe * **eternalblue_exploit7.py** Eternalblue exploit for windows 7/2008 * **eternalblue_exploit8.py** Eternalblue exploit for windows 8/2012 x64 * **eternalblue_poc.py** Eternalblue PoC for buffer overflow bug * **eternalblue_kshellcode_x64.asm** x64 kernel shellcode for my Eternalblue exploit. This shellcode should work on Windows Vista and later * **eternalblue_kshellcode_x86.asm** x86 kernel shellcode for my Eternalblue exploit. This shellcode should work on Windows Vista and later * **eternalblue_sc_merge.py** Script for merging eternalblue x86 and x64 shellcode. Eternalblue exploit, that support both x86 and x64, with merged shellcode has no need to detect a target architecture * **eternalchampion_leak.py** Eternalchampion PoC for leaking info part * **eternalchampion_poc.py** Eternalchampion PoC for controlling RIP * **eternalchampion_poc2.py** Eternalchampion PoC for getting code execution * **eternalromance_leak.py** Eternalromance PoC for leaking info part * **eternalromance_poc.py** Eternalromance PoC for OOB write * **eternalromance_poc2.py** Eternalromance PoC for controlling a transaction which leading to arbitrary read/write * **eternalsynergy_leak.py** Eternalsynergy PoC for leaking info part * **eternalsynergy_poc.py** Eternalsynergy PoC for demonstrating heap spraying with large paged pool * **infoleak_uninit.py** PoC for leaking info from uninitialized transaction data buffer * **mysmb.py** Extended Impacket SMB class for easier to exploit MS17-010 bugs * **npp_control.py** PoC for controlling nonpaged pool allocation with session setup command * **zzz_exploit.py** Exploit for Windows 2000 and later (requires access to named pipe) ## Anonymous user Anonymous user (null session) get more restriction on default settings of new Windows version. To exploit Windows SMB without authentication, below behavior should be aware. * Since Windows Vista, default settings does not allow anonymous to access any named pipe * Since Windows 8, default settings does not allow anonymous to access IPC$ share (IPC$ might be acessible but cannot do much) ## About NSA exploits * **Eternalblue** requires only access to IPC$ to exploit a target while other exploits require access to named pipe too. So the exploit always works against Windows < 8 in all configuration (if tcp port 445 is accessible). However, Eternalblue has a chance to crash a target higher than other exploits. * **Eternalchampion** requires access to named pipe. The exploit has no chance to crash a target. * **Eternalromance** requires access to named pipe. The exploit can target Windows < 8 because the bug for info leak is fixed in Windows 8. The exploit should have a chance to crash a target lower than Eternalblue. I never test a reliable of the exploit. * **Eternalsynergy** requires access to named pipe. I believe this exploit is modified from Eternalromance to target Windows 8 and later. Eternalsynergy uses another bug for info leak and does some trick to find executable memory (I do not know how it works because I read only output log and pcap file).