Description
Exploits the MS17-010 SMBv1 unauthenticated heap overflow to deliver a SpecterInsight agent on unpatched Windows targets (XP through Server 2008 R2).
Overview
Exploits CVE-2017-0144 (EternalBlue / MS17-010) — an unauthenticated remote code execution vulnerability in the Windows SMBv1 server (srv.sys). The exploit triggers an integer overflow in SrvOs2FeaListSizeToNt to corrupt the nonpaged pool and gain ring-0 execution, then delivers a SpecterInsight SRDI agent into a user-mode process on the target.
No credentials are required. The target only needs TCP 445 reachable and SMBv1 enabled with MS17-010 unpatched.
Arguments
| Parameter | Type | Mandatory | Description |
|---|---|---|---|
| ComputerName | string[] | Yes | Target IP address(es) or hostname(s). |
| BuildId | string | No | Agent build ID. Defaults to the current session build. |
Dependencies
- smb
Operating Systems
- Windows XP, Vista, 7, Server 2003, Server 2008, Server 2008 R2 (x64)
- SMBv1 must be enabled; MS17-010 (KB4012212 / KB4012213) must not be applied.
Pre-Requisites
- TCP port 445 reachable from the current agent.
- No authentication required — fully unauthenticated exploit.
Example Output
ComputerName : 10.10.10.40
Vulnerable : True
Exploited : True
Error :
{
"ComputerName": "10.10.10.40",
"Vulnerable": true,
"Exploited": true,
"Error": null
}