automatic module_metadata_base.json update

2018-06-21 13:42:14 -07:00 · 2018-06-21 13:42:14 -07:00 · bfd1bd590b
parent a408a2a719
commit bfd1bd590b
1 changed files with 38 additions and 0 deletions
--- a/db/modules_metadata_base.json
+++ b/db/modules_metadata_base.json
@ -81863,6 +81863,44 @@
    "is_install_path": true,
    "ref_name": "windows/smb/ms17_010_eternalblue"
  },
+  "exploit_windows/smb/ms17_010_eternalblue_win8": {
+    "name": "MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+",
+    "full_name": "exploit/windows/smb/ms17_010_eternalblue_win8",
+    "rank": 200,
+    "disclosure_date": "2017-03-14",
+    "type": "exploit",
+    "author": [
+      "Equation Group",
+      "Shadow Brokers",
+      "sleepya",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "EternalBlue exploit for Windows 8, Windows 10, and 2012 by sleepya\n        The exploit might FAIL and CRASH a target system (depended on what is overwritten)\n        The exploit support only x64 target\n\n        Tested on:\n        - Windows 2012 R2 x64\n        - Windows 8.1 x64\n        - Windows 10 Pro Build 10240 x64\n        - Windows 10 Enterprise Evaluation Build 10586 x64\n\n\n        Default Windows 8 and later installation without additional service info:\n        - anonymous is not allowed to access any share (including IPC$)\n          - More info: https://support.microsoft.com/en-us/help/3034016/ipc-share-and-null-session-behavior-in-windows\n        - tcp port 445 is filtered by firewall\n\n\n        Reference:\n        - http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/\n        - \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" https://drive.google.com/file/d/0B3P18M-shbwrNWZTa181ZWRCclk/edit\n\n\n        Exploit info:\n        - If you do not know how exploit for Windows 7/2008 work. Please read my exploit for Windows 7/2008 at\n            https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a because the trick for exploit is almost the same\n        - The exploit use heap of HAL for placing fake struct (address 0xffffffffffd00e00) and shellcode (address 0xffffffffffd01000).\n            On Windows 8 and Wndows 2012, the NX bit is set on this memory page. Need to disable it before controlling RIP.\n        - The exploit is likely to crash a target when it failed\n        - The overflow is happened on nonpaged pool so we need to massage target nonpaged pool.\n        - If exploit failed but target does not crash, try increasing 'GroomAllocations' value (at least 5)\n        - See the code and comment for exploit detail.\n\n\n        Disable NX method:\n        - The idea is from \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" (see link in reference)\n        - The exploit is also the same but we need to trigger bug twice\n        - First trigger, set MDL.MappedSystemVa to target pte address\n        - Write '\\x00' to disable the NX flag\n        - Second trigger, do the same as Windows 7 exploit\n        - From my test, if exploit disable NX successfully, I always get code execution",
+    "references": [
+      "MSB-MS17-010",
+      "CVE-2017-0143",
+      "CVE-2017-0144",
+      "CVE-2017-0145",
+      "CVE-2017-0146",
+      "CVE-2017-0147",
+      "CVE-2017-0148",
+      "EDB-42030",
+      "URL-https://github.com/worawit/MS17-010",
+      "AKA-ETERNALBLUE"
+    ],
+    "is_server": true,
+    "is_client": false,
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": "445",
+    "targets": [
+      "win x64"
+    ],
+    "mod_time": "2018-06-21 15:10:47 +0000",
+    "path": "/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py",
+    "is_install_path": true,
+    "ref_name": "windows/smb/ms17_010_eternalblue_win8"
+  },
  "exploit_windows/smb/ms17_010_psexec": {
    "name": "MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution",
    "full_name": "exploit/windows/smb/ms17_010_psexec",