Last year, hacking group The Shadow Brokers shook the security world with a number of zero-day NSA exploits, putting millions of computers at risk. Just weeks later, hackers adapted EternalBlue to work with Windows 10, and it was only a matter of time before someone did the same with other exploits.
RiskSense’s Sean Dillion has gone just that with EternalSynergy, Romance, and Champion. A Metasploit module has been made available to penetration testers that works with all Windows versions above 2000.
“This module is highly reliable and preferred over EternalBlue where a Named Pipe is accessible for anonymous logins (generally, everything pre-Vista, and relatively common for domain computers in the wild),” said Dillion.
“Instead of going for shellcode execution, it overwrites the SMB connection session structures to gain Admin/SYSTEM session. The MSF [Metasploit Framework] module is leaner (stripped down packet count/padding), checks extra named pipes, sprinkles randomness where possible, and has Metasploit’s psexec DCERPC implementation bolted onto it.”
Over 40 Windows Versions
EternalSynergy makes use of CVE-2017-0143 and CVE-2017-0146. The former is a type confusion between WriteandX and transaction requests, while the latter refers to race condition with transaction requests.
The exploits will only work on unpatched systems, you can bet that across 43 OS versions, there will plenty who haven’t. In addition, the NSA’s secretive nature makes them hard to detect.
However, Dillon holds that his release was “created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized.”
Protecting yourself against attacks only requires a quick update, so now is a good time to ensure your OS is the latest possible version.
You can find more information on Dillon’s GitHub project.