ms17_010_eternalblue is a remote exploit against Microsoft Windows, originally written by the Equation Group (NSA) and leaked by Shadow Brokers (an unknown hacking entity). It is considered a reliable exploit and allows you to gain access not only as SYSTEM - the highest Windows user mode privilege, but also full control of the kernel in ring 0. In modern day penetration tests, this exploit can be found in internal and external environments.
As far as remote kernel exploits go, this one is highly reliable and safe to use.
The check command of ms17_010_eternalblue is also highly accurate, because Microsoft’s patch inadvertently added an information disclosure with extra checks on vulnerable code paths.
This exploit works against a vulnerable SMB service from one of these Windows systems:
To reliability determine whether the machine is vulnerable, you will have to either examine the system’s patch level, or use a vulnerability check.
set RHOSTto Windows 7/2008 x64
set ProcessName [string]
This is the usermode process that an APC containing shellcode will be queued into.
This should probably be a SYSTEM process, such as
set MaxExploitAttempts [integer]
Grooming the kernel does not always succeed, so this is the amount of times to retry the exploit.
set GroomAllocations [integer]
This is the base number of groom packets that will be sent per exploit.
set GroomDelta [integer]
This is the number the grooms will increase per exploit try, if previous try failed.
Unsafe configuration of Target It is not possible to determine the Architecture (x86 or x64) of a machine from its SMB headers. The exploit has safeguards to silently fail if you use the wrong arch. If the shells aren’t poppin’, try to change the architecture.