A security researcher has made three leaked NSA exploits work on all versions of Windows since Windows 2000. These exploits were leaked last year by The Shadow Brokers. This is the same group that had leaked the notorious EternalBlue exploit that was used to power the biggest online ransomware campaign this industry has seen so far.
The three exploits in question now include EternalChampion, EternalRomance, and EternalSynergy, all of which were leaked by TSB in April, last year. One security researcher has now worked on the source code to make all of these run on all Windows versions released in the last two decades for "the purposes of academic research and for the development of effective defensive techniques".
The researcher behind this is Sean Dillon from RiskSense (@zerosum0x0 on Twitter). The effort uses the security vulnerabilities tracked as CVE-2017-0143 (EternalRomance, EternalSynergy) and CVE-2017-0146 (EternalChampion, EternalSynergy). While some might suggest Dillon has made it easier for attackers to use these exploits, the criminal community has been extensively using leaked NSA exploits for the past 8 months or so. Dillon has merged these exploits into the open-source penetration testing project, the Metasploit Framework.
Releasing his code on GitHub, Dillon added that "this module is highly reliable and preferred over EternalBlue where a Named Pipe is accessible for anonymous logins (generally, everything pre-Vista, and relatively common for domain computers in the wild)."
Instead of going for shellcode execution, it overwrites the SMB connection session structures to gain Admin/SYSTEM session. The MSF [Metasploit Framework] module is leaner (stripped down packet count/padding), checks extra named pipes, sprinkles randomness where possible, and has Metasploit's psexec DCERPC implementation bolted onto it.
The security researcher added that the modified exploits work on both the 32-bit and 64-bit architectures. The following versions are vulnerable/supported:
exploit/windows/smb/ms17_010_psexec and auxiliary/admin/smb/ms17_010_command are now surely two of the most vigorously tested modules in all of @Metasploit. Thanks to everyone who helped! Should land to master branch soon... pic.twitter.com/NKy8nopF9p
— zǝɹosum0x0? (@zerosum0x0) February 2, 2018
This isn't the first time researchers have modified NSA exploits for research and pen-testing purposes. However, it's probably the first time that nearly a decade worth of systems are vulnerable to these exploits. Dillon did include a disclaimer with his release saying that this is "purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized".