EternalBlue SMBv1 Remote Code Execution in Microsoft Windows

This repository is a small lab/demo project built around a Metasploit exploit module and a harmless ransomware-themed batch script. Because it is part of the Metasploit framework, the main exploit file is ms17_010_eternalblue.rb, a Ruby Metasploit module implementing the EternalBlue SMB exploit against vulnerable Microsoft Windows SMBv1 targets. The module is clearly a real exploit, not just a detector: it performs SMB protocol interaction over TCP/445, supports anonymous or credentialed SMB authentication, uses the auxiliary/scanner/smb/smb_ms17_010 check module, and is designed to achieve remote kernel memory corruption leading to arbitrary code execution. The module metadata indicates support for multiple Windows versions including Windows 7, Windows Embedded Standard 7, Server 2008 R2, Windows 8/8.1, Server 2012, and some Windows 10 Pro builds, and references the MS17-010 vulnerability set (CVE-2017-0143 through CVE-2017-0148). In practical use, the README demonstrates pairing it with a windows/x64/meterpreter/reverse_tcp payload to obtain a SYSTEM-level Meterpreter session. Repository structure is simple: README.md documents a university lab exercise, exploitation workflow, post-exploitation commands, and mitigation via KB4012212; ms17_010_eternalblue.rb is the actual exploit module; wannacry64.bat is a separate Windows batch file that only simulates a WannaCry-style ransom screen. The batch file contains no encryption, persistence, propagation, or destructive logic; it displays a countdown, fake progress bar, sample filenames, and a hardcoded Bitcoin address as part of the visual demo. Overall, the repository’s purpose is educational: demonstrate exploitation of MS17-010 in an isolated lab, show post-exploitation access, and then illustrate a safe ransomware-themed payload simulation plus patch-based mitigation.

The repository 'autoblue' is an automated exploit tool targeting the EternalBlue vulnerability (CVE-2017-0144) in Microsoft Windows systems. The main script, 'autoblue.sh', is a Bash script that automates the process of scanning a target IP for the MS17-010 vulnerability using Nmap and, if found vulnerable, launches the Metasploit Framework's EternalBlue exploit module. The script prompts the user for both the target and attacker's IP addresses, scans the target's port 445 for SMBv1 vulnerabilities, and, upon confirmation, executes Metasploit with a pre-configured payload (windows/x64/meterpreter/reverse_tcp) to obtain a reverse shell on the target. The script logs its actions to 'autoblue.log' and uses 'nmap_scan.log' for scan results. The repository includes a README with detailed usage instructions, prerequisites, and security considerations. The exploit is operational, automating both detection and exploitation, and is intended for use in authorized penetration testing or educational environments.

This repository is a Capture The Flag (CTF) challenge simulating exploitation of the EternalBlue vulnerability (CVE-2017-0144) on Windows 7. The structure includes a web-based flag submission site (Flag-site/), detailed documentation (README.md, deployment.md, writeup.md), and a set of exploit modules (exploit-modules/) derived from public research on MS17-010. The main exploit code is in Python (eternalromance_poc2.py), demonstrating the EternalRomance technique for arbitrary read/write via SMB, and is supported by custom kernel shellcode in assembly (eternalblue_kshellcode_x64.asm) and a script for merging shellcode for different architectures (eternalblue_sc_merge.py). The exploit achieves remote code execution as SYSTEM, allowing the attacker to retrieve the flag from C:\Windows\System32\flag.txt. The repository is not a framework but provides a working proof-of-concept exploit and all necessary resources to reproduce the attack in a controlled environment. The challenge is well-documented, with clear setup and exploitation instructions, and is suitable for educational and research purposes.

This repository contains three Python scripts related to the exploitation of the MS17-010 (EternalBlue) vulnerability (CVE-2017-0144) in Microsoft Windows SMBv1. The files are: 1. eternalblue_scanner.py: A scanner script that checks if a given IP address is vulnerable to MS17-010 or infected with the DoublePulsar backdoor. It crafts and sends SMB packets to the target's TCP port 445 and analyzes the responses to determine vulnerability status. 2. windows7-windows2008R2-x64.py: An exploit script targeting Windows 7 SP1 x64 and Windows 2008 R2 x64 systems. It leverages the EternalBlue vulnerability to achieve remote code execution by sending specially crafted SMB packets and injecting user-supplied shellcode into the target's memory. The script requires the attacker to provide a shellcode file and the target IP address. 3. windows8-windows2012R2-x64.py: An exploit script for Windows 8.1 x64 and Windows 2012 R2 x64 systems. It uses a similar technique as the previous script but includes additional steps to bypass security features (such as disabling the NX bit) present in newer Windows versions. It also requires a shellcode file and the target IP address. All scripts are written in Python and require network access to the target's SMB service (TCP port 445). The exploit scripts are operational and allow the attacker to execute arbitrary code on vulnerable systems. The repository does not belong to a known exploit framework and is standalone. No hardcoded IP addresses or domains are present; the target is specified at runtime.